Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan downloader generic10 and functionality problem


  • This topic is locked This topic is locked
32 replies to this topic

#1 capocrimini

capocrimini

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 26 August 2010 - 09:06 PM

I will be posting the requested information in the preparation guide, however due to some of the functionality issues with the computer, I only have about 5 minutes of use before I can no longer type. I will give a background in this post and post another with the DDS and GMER reports. I also have Hijack this and Malwarebytes installed if the logs of those are still utilized.

I use updated versions of AVG (currently 9) freeware, firewall enabled Linksys router, and Windows Firewall. The computer remains on and a cable connection to the router at all times. Has been this way for several years, never any virus troubles. A prior mobo, DFI, had 2 different built in hardware firewalls and kept the one by NVIDIA enabled. Currently have a mobo installed without hardware firewall for about a year now.

3 days ago, was working fine, away from computer for a few minutes, came back and the functionality issues were happening. Immediately prior was on the internet viewing a Youtube video. The functionality is that double clicking on any icon brings up the properties menu. Right clicking will briefly flash that menu but it wont stay up. Same with Start menu. If am able to navigate to any kind of text field, will not input characters, rather active field bounces around the window menus such as when using the Alt key. I can navigate around by holding the control key which will allow me to get into Start menu, than click on Control panel, and then I can navigate different folders using the next folder up buttons. To select a folder, I have to click on it, go to the file menu, click and hold the mouse button down, hover over the menu action I desire and release the button to select. I cannot get into any of the other window menus. I can click on and run taskbar items but will not run the quicklaunch items.

I was able to run AVG, at first it found nothing but my settings were to only scan infectable files. Scanning all files and folders netted the usual tracking cookies and the trojan horse "trojan downloader.generic10.bdz." I deleted it and the tracking cookies from the vault. No change in functionality. A google search yielded info on similar trojans but not with the ".bdz" extension. I rebooted, and got functionality back for about 5 minutes, then all the icons blinked like a refresh happened or a service started and back to the issues. I have disabled restore points, looked through taskmanager, registry, and msconfig startup files for anything obvious (meheerwar has some obvious names in registry entries) and found nothing I can recognize. Downloaded Malwarebytes and it comes up clear, additional AVG scans come up clear. I removed and reloaded the mouse driver and got partial functionality back for about 10 minutes, but then it reverted and subsequent driver reloads have not produced that result. About 80% of the time after running AVG and rebooting, I will get functionality back for about 5 minutes. Do not get the same result with Malwarebytes. So here I am.

I have installed and ran the programs from the preparation guide, with exception to gmer which is still running. After it is done, I will try to get it all posted, but it may take a couple posts because of the limited functionality time frame. I may not get it done tonight.

I have also unplugged from the internet, ran the antivirus, and rebooted. The functionality still disappears after a few minutes. I think it may have attached itself to a service file in one of the srvchst.exe.

Could not get GMER. After its done, any action on computer whether saving the file or activating another program yields a never ending hour glass...


DDS (Ver_10-03-17.01) - NTFSx86
Run by CAPOCRIMINI at 20:09:27.06 on Thu 08/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2666 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\CAPOCRIMINI\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238684886109
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238684810015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-6 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

=============== Created Last 30 ================

2010-08-26 00:38:23 0 d-----w- c:\program files\Trend Micro
2010-08-25 05:19:24 0 d-----w- c:\docume~1\capocr~1\applic~1\AVG9
2010-08-25 05:10:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-25 03:25:57 0 d-----w- c:\docume~1\capocr~1\applic~1\Malwarebytes
2010-08-25 03:25:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 03:25:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-25 03:25:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 03:25:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-08-25 05:10:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 16:06:43 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 16:06:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 16:06:13 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2008-07-17 01:42:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071620080717\index.dat

============= FINISH: 20:10:37.00 ===============

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 28 August 2010 - 09:14 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 02 September 2010 - 02:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 capocrimini

capocrimini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 September 2010 - 05:37 PM

I am here. During my initial investigation of the problem, Java did an automatic update. I don't typically like to do updates or downloads during such circumstances, but went ahead and deleted out prior versions of Java so that this latest update would be the only one. Other than that, I have left the computer off since my initial posting. Your help is appreciated.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 02 September 2010 - 06:40 PM

Please run Combofix, this should find any rootkits and we can then unhook any malicious processes that may be there.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 capocrimini

capocrimini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 September 2010 - 09:47 PM

ComboFix 10-09-01.04 - CAPOCRIMINI 09/02/2010 21:34:53.1.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2736 [GMT -5:00]
Running from: c:\documents and settings\CAPOCRIMINI\Desktop\ComFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-08-26 00:38 . 2010-08-26 00:38 -------- d-----w- c:\program files\Trend Micro
2010-08-25 05:19 . 2010-08-25 05:19 -------- d-----w- c:\documents and settings\CAPOCRIMINI\Application Data\AVG9
2010-08-25 05:11 . 2010-08-25 05:11 -------- d-----w- c:\program files\Common Files\Java
2010-08-25 05:10 . 2010-08-25 05:10 79488 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\jre1.6.0_21\gtapi.dll
2010-08-25 05:10 . 2010-08-25 05:10 152576 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\jre1.6.0_21\lzma.dll
2010-08-25 03:25 . 2010-08-25 03:25 -------- d-----w- c:\documents and settings\CAPOCRIMINI\Application Data\Malwarebytes
2010-08-25 03:25 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 03:25 . 2010-08-25 03:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 03:25 . 2010-08-25 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-25 03:25 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 05:10 . 2010-04-28 13:41 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-25 05:10 . 2008-07-20 05:07 -------- d-----w- c:\program files\Java
2010-08-25 03:23 . 2008-01-05 22:04 14288 ----a-w- c:\documents and settings\CAPOCRIMINI\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-24 21:47 . 2008-01-05 21:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-17 22:51 . 2009-09-24 00:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-03 22:19 . 2010-08-03 22:19 503808 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e390085-n\msvcp71.dll
2010-08-03 22:19 . 2010-08-03 22:19 499712 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e390085-n\jmc.dll
2010-08-03 22:19 . 2010-08-03 22:19 348160 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e390085-n\msvcr71.dll
2010-08-03 22:19 . 2010-08-03 22:19 61440 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-13d13bbc-n\decora-sse.dll
2010-08-03 22:19 . 2010-08-03 22:19 12800 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-13d13bbc-n\decora-d3d.dll
2010-07-15 16:06 . 2009-03-24 23:24 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 16:06 . 2010-07-15 16:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 16:06 . 2009-03-24 23:24 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-01-05 20:59 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-12 1505144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 16:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/24/2009 6:24 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/24/2009 6:24 PM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 11:06 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 11:06 AM 308136]
.
Contents of the 'Scheduled Tasks' folder

2010-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 20:21]

2008-04-15 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8199946553.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 21:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1596)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-02 21:38:34
ComboFix-quarantined-files.txt 2010-09-03 02:38

Pre-Run: 57,332,240,384 bytes free
Post-Run: 57,480,404,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 49580BD8AC67512C7FC521956EFDD1A3


#6 capocrimini

capocrimini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 September 2010 - 09:53 PM

I tried ending all AVG apps through taskmanager. It restarts each app by itself. I disabled all I could from the AVG program menu. If need be, I can disable from the windows startup group, but would have required another scan and reboot to have my way with the machine for 5 minutes. The .txt shows AVG disabled. Let me know what else you need, thanks! I think I can save the gmer file to make an attachment if I create the .txt file first, and then select that one to save as, and write over it. That way I won't have to do any typing ;) Let me know if you would like me to run the gmer.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 03 September 2010 - 07:41 PM

I don't need Gmer at the moment. Combofix ran fine, please rerun the program in the following way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please run ESET's online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#8 capocrimini

capocrimini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 September 2010 - 11:31 PM

ComboFix 10-09-03.01 - CAPOCRIMINI 09/03/2010 22:44:37.2.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2680 [GMT -5:00]
Running from: c:\documents and settings\CAPOCRIMINI\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\CAPOCRIMINI\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-08-04 to 2010-09-04 )))))))))))))))))))))))))))))))
.

2010-08-26 00:38 . 2010-08-26 00:38 -------- d-----w- c:\program files\Trend Micro
2010-08-25 05:19 . 2010-08-25 05:19 -------- d-----w- c:\documents and settings\CAPOCRIMINI\Application Data\AVG9
2010-08-25 05:11 . 2010-08-25 05:11 -------- d-----w- c:\program files\Common Files\Java
2010-08-25 05:10 . 2010-08-25 05:10 79488 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\jre1.6.0_21\gtapi.dll
2010-08-25 05:10 . 2010-08-25 05:10 152576 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\jre1.6.0_21\lzma.dll
2010-08-25 03:25 . 2010-08-25 03:25 -------- d-----w- c:\documents and settings\CAPOCRIMINI\Application Data\Malwarebytes
2010-08-25 03:25 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 03:25 . 2010-08-25 03:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 03:25 . 2010-08-25 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-25 03:25 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 05:10 . 2010-04-28 13:41 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-25 05:10 . 2008-07-20 05:07 -------- d-----w- c:\program files\Java
2010-08-25 03:23 . 2008-01-05 22:04 14288 ----a-w- c:\documents and settings\CAPOCRIMINI\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-24 21:47 . 2008-01-05 21:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-17 22:51 . 2009-09-24 00:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-03 22:19 . 2010-08-03 22:19 503808 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e390085-n\msvcp71.dll
2010-08-03 22:19 . 2010-08-03 22:19 499712 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e390085-n\jmc.dll
2010-08-03 22:19 . 2010-08-03 22:19 348160 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e390085-n\msvcr71.dll
2010-08-03 22:19 . 2010-08-03 22:19 61440 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-13d13bbc-n\decora-sse.dll
2010-08-03 22:19 . 2010-08-03 22:19 12800 ----a-w- c:\documents and settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-13d13bbc-n\decora-d3d.dll
2010-07-15 16:06 . 2009-03-24 23:24 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 16:06 . 2010-07-15 16:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 16:06 . 2009-03-24 23:24 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-01-05 20:59 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-03_02.37.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-04 03:20 . 2010-09-04 03:20 16384 c:\windows\Temp\Perflib_Perfdata_788.dat
+ 2004-08-04 12:00 . 2010-09-04 03:25 71206 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-09-03 02:22 71206 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-09-04 03:25 441014 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-09-03 02:22 441014 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-12 1505144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 16:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/24/2009 6:24 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/24/2009 6:24 PM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 11:06 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 11:06 AM 308136]
.
Contents of the 'Scheduled Tasks' folder

2010-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 20:21]

2008-04-15 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8199946553.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 22:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-03 22:47:46
ComboFix-quarantined-files.txt 2010-09-04 03:47
ComboFix2.txt 2010-09-03 02:38

Pre-Run: 57,489,870,848 bytes free
Post-Run: 57,467,248,640 bytes free

- - End Of File - - FD6E4813B059F901F2AD4BEFAEF2E948
C:\Documents and Settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\cache\6.0\36\268fb64-2dc56c33 multiple threats deleted - quarantined
C:\Documents and Settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\cache\6.0\37\330b3de5-79e1b96b multiple threats deleted - quarantined
C:\Documents and Settings\CAPOCRIMINI\Application Data\Sun\Java\Deployment\cache\6.0\7\4159ee07-37b7df9e multiple threats deleted - quarantined


#9 capocrimini

capocrimini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 September 2010 - 11:48 PM

Got it done. Have not had a chance to test the theory, but on the first boot up since the last session (ran avg before shutting off) and then an avg scan and restart, I never got the limited time functionality back like I have in the past. Combofix is the only change since then. Also, on boot up, I get the screen to select between different operating systems...it flashes quickly and continues on without my selecting XP...is that a side effect of installing the Recovery Console from the Combofix?

A little bit more about the trojan, or whatever it is. When a window is up/activated, I can see the little lines come up under the control letter of the menu, then it will blink off, and a different area of the window will become active. It is similar to if the control, alt, and tab keys were randomly being pushed constantly (except it does not necessarily activate all the things those keys would). I was able to highlight text on the internet, and kept hitting control v until it pasted. Lucky I found that out, as my browser history deletes after 1 day, so I did not have this website in my history. I didnt think I would be able to complete the steps in your last post, but I found some cookies that had the website name I was able to copy and paste into a google search.

When ESET completed it gave me the option of uninstalling files it installed, deleting quarantine, etc. I did not select anything as there was nothing in your instructions about that. Should I or can I rerun and select any of those options? Again, I thank you for this help! Enjoy the holiday weekend. Let this stuff be for the time being, unless this is what you do for fun...

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 04 September 2010 - 06:09 AM

Nah, this is fun laugh.gif

Please run the following tool so we can track for a rootkit

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Posted Image
m0le is a proud member of UNITE

#11 capocrimini

capocrimini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 September 2010 - 10:11 AM

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #4
==============================================
>Drivers
==============================================
0xB578F000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6135808 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 178.24 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 6062080 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 178.24 )
0xB2F84000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 5197824 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9DF8000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB2D5F000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xB2C24000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB55A1000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB2E84000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB1F8A000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB18B9000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB2E4A000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xB9EE6000 Si3114r5.sys 217088 bytes (Silicon Image, Inc, SATA SoftRAID 5 miniport driver)
0xB2BF0000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB2171000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DCB000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB2C94000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB56EF000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB2DFC000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB2E24000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB2F60000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB573A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB5717000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB2DDA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EAE000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB575E000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 118784 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB9DB1000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB2BB0000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9ECE000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9E85000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB56B0000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB2759000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xB9F1B000 nvatabus.sys 90112 bytes (NVIDIA Corporation, NVIDIAŽ nForce™ IDE Performance Driver)
0xB2384000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB577B000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB2EDD000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9E9C000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB55FF000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB5680000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA188000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA288000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA198000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB2581000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA278000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA2F8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA228000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA218000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA178000 C:\WINDOWS\System32\Drivers\AFS2K.SYS 36864 bytes (Oak Technology Inc., Audio File System)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA208000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB0E1F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA118000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA298000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA4A8000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA398000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA480000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA400000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xBA3D8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA430000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA3B8000 C:\WINDOWS\system32\drivers\pfc.sys 24576 bytes (Padus, Inc., Padus® ASPI Shell)
0xBA488000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA498000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\point32.sys 20480 bytes (Microsoft Corporation, Point32.sys)
0xBA418000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xBA428000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xBA470000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB2F5C000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA588000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB27D7000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA56C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB2F58000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9D89000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB2F50000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA578000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB5595000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA4BC000 SiWinAcc.sys 12288 bytes (Silicon Image, Inc., Windows Accelerator Driver)
0xBA554000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5EC000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA62C000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5E8000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5F0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5F4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5AC000 SiRemFil.sys 8192 bytes (Silicon Image, Inc., Filter driver for Silicon Image SATALink controllers.)
0xBA5B6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5C8000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA730000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA79F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7EC000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 04 September 2010 - 10:28 AM

Please run the following tools

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


And

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#13 capocrimini

capocrimini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 September 2010 - 09:54 PM

Malware Bytes Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4545

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/4/2010 9:00:45 PM
mbam-log-2010-09-04 (21-00-45).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 178960
Time elapsed: 26 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#14 capocrimini

capocrimini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 September 2010 - 09:56 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/04/2010 at 09:44 PM

Application Version : 4.42.1000

Core Rules Database Version : 5457
Trace Rules Database Version: 3269

Scan type : Complete Scan
Total Scan Time : 00:34:35

Memory items scanned : 429
Memory threats detected : 0
Registry items scanned : 5286
Registry threats detected : 0
File items scanned : 47921
File threats detected : 72

Adware.Tracking Cookie
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@invitemedia[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@mediaplex[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@msnportal.112.2o7[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@statse.webtrendslive[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@atdmt[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@specificclick[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@fastclick[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@ads.bleepingcomputer[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@ad.yieldmanager[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@2o7[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@bs.serving-sys[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@hitbox[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@apmebf[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@revsci[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@liveperson[3].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@collective-media[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@msnservices.112.2o7[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@kaspersky.122.2o7[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@server.iad.liveperson[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@doubleclick[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@serving-sys[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@media6degrees[1].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@interclick[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@ehg-eset.hitbox[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@tribalfusion[2].txt
C:\Documents and Settings\CAPOCRIMINI\Cookies\capocrimini@liveperson[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@centralmediaserver[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.adfrontiers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnservices.112.2o7[1].txt
a.ads2.msads.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
acvs.mediaonenetwork.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
ads2.msads.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
apm.emediate.eu [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
b.ads2.msads.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
cache.specificmedia.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
cdn.insights.gravity.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
cdn4.specificclick.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
content.oddcast.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
convoad.technoratimedia.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
core.insightexpressai.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
googleads.g.doubleclick.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
hs.interpolls.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
ia.media-imdb.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
interclick.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
m1.2mdn.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media.bonefishgrill.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media.fliptrack.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media.jambocast.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media.mtvnservices.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media.scanscout.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media.socialvibe.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media.tattomedia.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media01.kyte.tv [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
media1.break.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
mediatonic1.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
msnbcmedia.msn.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
msntest.serving-sys.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
objects.tremormedia.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
rmd.atdmt.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
s0.2mdn.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
serving-sys.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
spe.atdmt.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
static.2mdn.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
udn.specificclick.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
vidego.multicastmedia.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
www.adultswim.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
www.clickstrackingz.info [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
www.media2cn.info [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
www.soundclick.com [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
www.ttylmedia.info [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]
yieldmanager.edgesuite.net [ C:\Documents and Settings\CAPOCRIMINI\Application Data\Macromedia\Flash Player\#SharedObjects\RKL2HLS4 ]


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 05 September 2010 - 03:31 AM

The PC is clean. thumbup2.gif

Close Internet Explorer. Go to start > Control Panel > internet options.
  • Under General tab press Delete... then make sure all the sections are checked and click Delete.
  • Under Advanced tab click Restore advanced settings
  • Make sure under Security tab the Default is selected.
  • Also under Privacy tab the Default is selected.
  • Under privacy click on sites then on Remove All and confirm.
    (If the users use SpywareBlaster they should re-enable restrictions)

Then just a quick check that the file system is working correctly

We are going to run chkdsk which will verify and repair the file system

Step One: Click Start, select Run

Step Two: In the box, type cmd

Step Three: Click Ok

Step Four: Run the chkdsk utility by typing in the following command:

chkdsk c: /f /r

NOTE: The /f command automatically fixes any errors encountered, the /r command locates bad sectors and recovers readable information.

Step Five: A reboot is normally required for the chkdsk program to lock the disk and run correctly (this is typical on machines that have only one volume), so simply restart the computer and chkdsk will run automatically. When it's finished, (This process can take quite a while depending on the size of your disk, etc.), it will boot back to normal Windows.

On Rebooting the PC you will see the disk being checked.

This process will take, on average, about an hour.

Let me know when you have completed these tasks.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users