Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lots of Infections Vista [Computer 2]


  • This topic is locked This topic is locked
18 replies to this topic

#1 vom53

vom53

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:East Coast
  • Local time:03:04 AM

Posted 26 August 2010 - 01:53 PM

I know the Malware Response team and moderators are working hard, but a look on my Windows XP problem would be helpful too.
Windows XP Problems

Now on to the Vista problems:

Scan with AVAST, MULTI-AV, Spybot Search and Destroy, MBAM Pro (Icon doesn't work in Vista for some reason when right-click), GMER, RkUnhooker LE, MSE, Panda Cloud and found nothing except in the logs of GMER/rkunhooker le.

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by David at 23:09:21.68 on Tue 08/24/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vistaâ„¢ Home Basic 6.0.6002.2.1252.1.1033.18.3069.1338 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MzVistaForce\MzCpuAccelerator.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\David\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Symconsent.exe
C:\Users\David\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15153&l=dis
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vb32&d=0709&m=aspire_5516
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vb32&d=0709&m=aspire_5516
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vb32&d=0709&m=aspire_5516
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MzCpuAccelerator] c:\program files\mzvistaforce\MzCpuAccelerator.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [Acer ePower Management] c:\program files\acer\acer epower management\ePowerTray.exe
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: kuaiche.com\software
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\s7maoigy.default\
FF - component: c:\users\david\appdata\roaming\mozilla\firefox\profiles\s7maoigy.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\david\appdata\roaming\mozilla\firefox\profiles\s7maoigy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\david\appdata\roaming\mozilla\firefox\profiles\s7maoigy.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGPPlugin.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\david\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.cache.memory.capacity - 65536c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-7-16 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-16 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-7-16 50256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 40384]
R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer epower management\ePowerSvc.exe [2009-7-9 723488]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-3-9 304464]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-8-11 1153368]
R2 SymAFR;SymAFR;c:\windows\system32\drivers\SymAFR.sys [2009-12-18 15408]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 40384]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-8-9 115312]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-7-27 50688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-9 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-10-20 12672]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-7-22 91456]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-18 30192]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-10-27 23936]
S3 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\newtech infosystems\acer backup manager\IScheduleSvc.exe [2009-2-17 44800]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-08-22 18:53:35 2577 ----a-w- c:\windows\system32\config.bak
2010-08-22 18:53:35 1688 ----a-w- c:\windows\system32\autoexec.bak
2010-08-22 18:53:09 0 d-----w- C:\AV-CLS
2010-08-13 20:53:30 0 d-----w- c:\program files\Alcohol Soft
2010-08-11 16:37:41 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-11 16:37:41 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-11 02:21:39 0 d-----w- c:\program files\Auslogics
2010-08-11 01:13:02 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-11 01:13:00 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 01:11:47 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-11 01:09:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-11 01:09:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-11 01:07:35 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-10 02:02:27 115312 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2010-08-10 02:02:26 0 d-----w- c:\program files\KeyScrambler
2010-07-31 00:53:08 0 d-----w- c:\windows\Latale GP
2010-07-30 17:10:41 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-30 17:10:41 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-30 17:10:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-30 17:10:41 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-30 17:10:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-30 17:10:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-30 17:10:40 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-07-30 17:10:40 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-07-30 17:10:40 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-30 17:10:40 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-07-30 17:10:40 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-07-30 17:10:40 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-07-30 16:27:41 0 d-----w- c:\programdata\PMB Files

==================== Find3M ====================

2010-08-13 20:48:50 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-07-22 16:36:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motport_01007.Wdf
2010-07-22 16:36:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2010-07-22 16:36:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-07-22 16:36:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-07-22 16:34:07 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-22 16:34:07 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-22 16:34:07 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-28 20:57:33 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:32:56 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-26 06:05:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-24 22:57:23 230752 ----a-w- c:\windows\patchw32.dll
2010-06-24 22:57:22 554371 ----a-w- c:\users\david\ApolloPatch1.1.3826.17527.exe
2010-06-11 16:16:20 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15:06 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 17:35:04 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35:03 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-01 19:46:29 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-16 14:18:54 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-19 00:30:07 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-19 00:30:07 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-19 00:30:07 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-19 00:30:07 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 23:12:49.91 ===============

Attachments include Attach.txt from DDS, Gmer log, Oldtimer log and its extra


Edit: Deleted excessive font size BB code for ease of topic reading by the Malware Removal Team volunteers. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 AM

Posted 31 August 2010 - 07:59 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 vom53

vom53
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:East Coast
  • Local time:03:04 AM

Posted 01 September 2010 - 12:37 PM

Please continue, m0le.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 AM

Posted 01 September 2010 - 07:22 PM

QUOTE
found nothing except in the logs of GMER/rkunhooker


There's nothing there either.

What symptoms are you experiencing on this machine?
Posted Image
m0le is a proud member of UNITE

#5 vom53

vom53
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:East Coast
  • Local time:03:04 AM

Posted 01 September 2010 - 07:37 PM

rootkit behavior...

Device \FileSystem\Ntfs \Ntfs 85CEF1F8

and for some reason... i have a keylogger

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 AM

Posted 01 September 2010 - 07:46 PM

QUOTE
Device \FileSystem\Ntfs \Ntfs 85CEF1F8

and for some reason... i have a keylogger


The first line is the NTFS file system

Got a couple of questions for you. What is "rootkit behaviour" and what makes you think you have a keylogger?
Posted Image
m0le is a proud member of UNITE

#7 vom53

vom53
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:East Coast
  • Local time:03:04 AM

Posted 01 September 2010 - 08:08 PM

was informed by Avast that I got JS:Redirector-DP[Trj], but I visited the site before the warning so I got it in my system and can't remove it.

before I installed KeyScrambler, I noticed a few of my accounts were hacked and I changed the passwords, but then still they could still hacked it.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 AM

Posted 01 September 2010 - 08:23 PM

Avast detects and blocks the JS:Redirector-DP[Trj] trojan so that isn't necessarily in your system.

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 vom53

vom53
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:East Coast
  • Local time:03:04 AM

Posted 02 September 2010 - 07:44 PM

ComboFix 10-09-01.04 - David 09/02/2010 15:50:57.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3069.1786 [GMT -7:00]
Running from: c:\users\David\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\David\AppData\Local\TempDIR
c:\users\David\AppData\Roaming\BITS
c:\users\David\AppData\Roaming\BITS\BITS.ini
c:\users\David\AppData\Roaming\BITS\DHTTable.dat
c:\users\David\AppData\Roaming\BITS\ProxyList.ini
c:\users\David\AppData\Roaming\BITS\UPnP.ini
c:\users\David\AppData\Roaming\FlashGetBHO
c:\users\David\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll
c:\users\David\AppData\Roaming\FlashGetBHO\FlashGetHook.dll
c:\users\David\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
c:\users\David\AppData\Roaming\FlashGetBHO\GetUrl.htm
c:\windows\system32\secushr.dat
c:\windows\system32\secustat.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ILVMONEYDRIVER53
-------\Service_IlvMoneyDRIVER53


((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))
.

2010-09-02 22:59 . 2010-09-02 23:04 -------- d-----w- c:\users\David\AppData\Local\temp
2010-09-02 22:59 . 2010-09-02 22:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-27 16:54 . 2010-08-27 16:54 -------- d-----w- c:\users\David\Pavark
2010-08-27 16:41 . 2010-08-27 16:41 -------- d-----w- c:\program files\Sophos
2010-08-22 18:53 . 2010-08-23 01:50 -------- d-----w- C:\AV-CLS
2010-08-13 20:53 . 2010-08-13 20:53 -------- d-----w- c:\program files\Alcohol Soft
2010-08-13 17:01 . 2010-08-01 00:37 3862016 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2010-08-13 17:01 . 2010-07-29 03:52 24576 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2010-08-13 17:01 . 2010-06-25 10:37 110592 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin.dll
2010-08-13 17:01 . 2010-02-05 05:16 40960 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fireshot-install.exe
2010-08-11 16:37 . 2010-08-13 04:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-11 16:37 . 2010-08-11 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-11 02:21 . 2010-08-11 02:21 -------- d-----w- c:\program files\Auslogics
2010-08-11 01:13 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-11 01:13 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 01:11 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-11 01:09 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-11 01:09 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-11 01:07 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-10 02:13 . 2009-10-05 19:34 796400 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
2010-08-10 02:02 . 2009-10-04 21:33 115312 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2010-08-10 02:02 . 2010-08-10 02:02 -------- d-----w- c:\program files\KeyScrambler
2010-08-08 03:20 . 2010-07-24 00:22 1496064 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-08 03:20 . 2010-07-24 00:22 43008 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-08 03:20 . 2010-07-24 00:22 338944 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-08 03:20 . 2010-07-24 00:22 346112 ----a-w- c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 22:42 . 2009-07-10 04:53 -------- d-----w- c:\users\David\AppData\Roaming\Media Player Classic
2010-09-02 22:30 . 2009-12-26 20:58 1356 ----a-w- c:\users\David\AppData\Local\d3d9caps.dat
2010-09-02 22:23 . 2009-07-10 06:20 -------- d-----w- c:\program files\CCleaner
2010-09-01 21:44 . 2009-10-24 23:21 -------- d-----w- c:\users\David\AppData\Roaming\uTorrent
2010-08-22 19:05 . 2010-04-24 18:45 -------- d-----w- c:\program files\uTorrent
2010-08-22 19:00 . 2009-08-18 20:26 -------- d-----w- c:\program files\SpywareBlaster
2010-08-13 20:48 . 2009-07-19 21:36 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-11 02:32 . 2009-07-11 04:13 -------- d-----w- c:\users\David\AppData\Roaming\.purple
2010-08-11 02:23 . 2009-04-19 02:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-11 01:14 . 2009-04-19 02:53 -------- d-----w- c:\programdata\Microsoft Help
2010-08-11 01:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-30 16:29 . 2010-07-30 16:27 -------- d-----w- c:\programdata\PMB Files
2010-07-30 16:13 . 2009-11-29 17:36 -------- d-----w- c:\program files\Pando Networks
2010-07-30 16:12 . 2010-05-01 19:43 -------- d-----w- c:\program files\Neffy
2010-07-24 00:24 . 2010-07-24 00:24 -------- d-----w- c:\users\David\AppData\Roaming\FireShot
2010-07-22 16:38 . 2010-07-22 16:29 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-07-22 16:36 . 2010-07-22 16:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motport_01007.Wdf
2010-07-22 16:36 . 2010-07-22 16:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2010-07-22 16:36 . 2010-07-22 16:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-07-22 16:36 . 2010-07-22 16:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-07-22 16:20 . 2010-07-22 16:20 -------- d-----w- c:\program files\Motorola
2010-06-28 20:57 . 2010-06-30 15:31 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2009-07-16 16:47 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-07-16 16:48 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-07-16 16:48 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-07-16 16:48 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-07-16 16:47 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-28 20:32 . 2009-07-16 16:48 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-26 06:05 . 2010-08-11 01:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-11 01:12 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-11 01:12 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-11 01:12 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-24 22:57 . 2010-06-24 22:57 230752 ----a-w- c:\windows\patchw32.dll
2010-06-24 22:57 . 2010-06-24 22:57 554371 ----a-w- c:\users\David\ApolloPatch1.1.3826.17527.exe
2010-06-11 16:16 . 2010-08-11 01:12 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-11 01:12 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-11 01:12 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-11 01:12 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-10 68856]
"MzCpuAccelerator"="c:\program files\MzVistaForce\MzCpuAccelerator.exe" [2009-01-11 199680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-10 6711840]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-09 1418536]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-02-12 862728]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-19 30192]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-04-04 698912]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupManagerTray]
2009-02-17 17:36 248576 ----a-w- c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mumservice]
2010-05-12 21:43 1066304 ----a-w- c:\program files\Motorola\Software Update\mumservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2kAutostart]
2005-11-02 02:56 24064 ----a-w- c:\users\David\Desktop\P2kCommander-V3.3.0\P2kAutostart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6c,d0,c1,d9,93,01,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4175223261-185607293-3204096263-1000]
"EnableNotificationsRef"=dword:00000002

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [2010-04-02 91456]
R3 AhnRptTfFRegFNT;AhnRptTfFRegFNT;c:\users\David\AppData\Local\Temp\nse2DAE.tmp\TfFRegNt.sys [x]
R3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-04-19 30192]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\95C7.tmp [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2009-06-19 19712]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-30 8320]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2009-05-08 42752]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2009-10-27 23936]
R3 Normandy;Normandy SR2; [x]
R3 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-02-17 44800]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva288;XDva288;c:\windows\system32\XDva288.sys [x]
R3 XDva341;XDva341;c:\windows\system32\XDva341.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-08-13 697328]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-04-04 723488]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SymAFR;SymAFR;c:\windows\system32\DRIVERS\SymAFR.sys [2009-12-19 15408]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-10-04 115312]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-07-27 50688]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15153&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vb32&d=0709&m=aspire_5516
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\
FF - component: c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s7maoigy.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGPPlugin.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\David\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.cache.memory.capacity - 65536c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 16:04
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\95C7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\conime.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\program files\Alwil Software\Avast5\AvastUI.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-09-02 16:10:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-02 23:10

Pre-Run: 121,299,517,440 bytes free
Post-Run: 120,997,568,512 bytes free

- - End Of File - - 3B482FC61E9F49F09F15BE66245EC7C4


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 AM

Posted 02 September 2010 - 08:05 PM

Okay, that's hacked out a security risk trojan. Good that we've removed it, but bad...

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Posted Image
m0le is a proud member of UNITE

#11 vom53

vom53
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:East Coast
  • Local time:03:04 AM

Posted 03 September 2010 - 01:03 AM

Aw.. I was going to donate to you.

I'm on Computer 1 (my XP) http://www.bleepingcomputer.com/forums/topic342877.html.

Anyways this is Computer 2 so let get back to this.

May I have the names of those trojans please?

Before moving on, you said reformat. Would it require a reformat manually or use the recovery acer manager?

BUT MOST IMPORTANTLY I NEED THOSE NAMES.

Edited by vom53, 03 September 2010 - 01:08 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 AM

Posted 03 September 2010 - 07:28 PM

The trojan found was:

FlashGetBHO

Called various things, as below.

Trojan-Downloader.Win32.Agent.csly

Generic Downloader.x!brj

Mal/Generic-A

Trojan-Downloader.Jadt

Win-Trojan/Agent.69632.WL
packed with PE_Patch.UPX


It is suggested that you reformat, you can use the built in reset on Acer too. Is that what you're going to do?

Posted Image
m0le is a proud member of UNITE

#13 vom53

vom53
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:East Coast
  • Local time:03:04 AM

Posted 03 September 2010 - 08:01 PM

A couple of months ago, I download the program FlashGet.

I am certain it is gone.

I do not wish to reformat because when everytime I reformat Vista SP2 update is a major problem.

What's your input?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 AM

Posted 03 September 2010 - 08:49 PM

I think it depends on how likely your PC will be to be compromised again and that's down to your internet habits.

It is a fact that these trojans slip in through vulnerabilities which can't be closed without a reformat/reinstall but it's also safe to say that staying away from certain areas of the WWW decrease your chances of another attack.

I have cleaned well over a thousand PCs and very few come back to me with a reinfection.

However, it is your decision. If you don't want to reinstall then we can continue and we'll shore up the PC as much as we can at the end.
Posted Image
m0le is a proud member of UNITE

#15 vom53

vom53
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:East Coast
  • Local time:03:04 AM

Posted 03 September 2010 - 10:56 PM

I will follow your shoreness.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users