Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Its still a lot to learn****


  • This topic is locked This topic is locked
3 replies to this topic

#1 sreez

sreez

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:38 AM

Posted 01 September 2010 - 01:30 AM

Dear Friends,

I am veriono trained at this at this forum. Here is the log from office which needs sorted in 2hours. therefore guys lets solve this little challenge as quick as can and prove them what we are capable of thumbup.gif

Please find the trojans/malware/etc are those bloody rootkits. I am very happy being within this society. So lets ROCK dance.gif

ComboFix 10-08-30.02 - Administrator 08/31/2010 15:52:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1613 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1287 [VPS 100831-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\progra~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Cache\001E0DF4.jpg
c:\program files\FunWebProducts\ScreenSaver\Cache\files.ini
c:\program files\FunWebProducts\ScreenSaver\Images\001E0AAB.urr
c:\program files\FunWebProducts\ScreenSaver\Images\001E2883.dat
c:\program files\FunWebProducts\ScreenSaver\Images\004885C2.urr
c:\program files\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp
c:\program files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
c:\program files\FunWebProducts\Shared\0087BD93.dat
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\3.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\3.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\3.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\3.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\3.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\3.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\3.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\3.bin\F3SCrctr.dll
c:\program files\MyWebSearch\bar\3.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\3.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\3.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\3.bin\INSTALL.RDF
c:\program files\MyWebSearch\bar\3.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\3.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\3.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\3.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\3.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\3.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\3.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\3.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\3.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\3.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\3.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSMLBTN.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSUABTN.DLL
c:\program files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\00018CA0.bin
c:\program files\MyWebSearch\bar\Cache\00018E8A.bin
c:\program files\MyWebSearch\bar\Cache\00018FF3.bin
c:\program files\MyWebSearch\bar\Cache\0002C769
c:\program files\MyWebSearch\bar\Cache\000B929E
c:\program files\MyWebSearch\bar\Cache\000BC33E
c:\program files\MyWebSearch\bar\Cache\000BE26B
c:\program files\MyWebSearch\bar\Cache\0015CF9D.bin
c:\program files\MyWebSearch\bar\Cache\0015D23C.bin
c:\program files\MyWebSearch\bar\Cache\0015D567.bin
c:\program files\MyWebSearch\bar\Cache\0015D874.bin
c:\program files\MyWebSearch\bar\Cache\00279F7D.bin
c:\program files\MyWebSearch\bar\Cache\0027ACF2.bin
c:\program files\MyWebSearch\bar\Cache\00444995
c:\program files\MyWebSearch\bar\Cache\0079015B
c:\program files\MyWebSearch\bar\Cache\00791A64
c:\program files\MyWebSearch\bar\Cache\00A90481.bin
c:\program files\MyWebSearch\bar\Cache\00A90535.bin
c:\program files\MyWebSearch\bar\Cache\00A905AD.bin
c:\program files\MyWebSearch\bar\Cache\00A90694.bin
c:\program files\MyWebSearch\bar\Cache\00CF8429
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Overlay\COMMON.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_FeatCk.dat
c:\program files\MyWebSearch\bar\Settings\s_FeatCk.dat.bak
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\WebSecurity
c:\program files\WebSecurity\Desktop.ini
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\Cache
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))
.

2010-08-31 14:24 . 2010-08-31 14:24 -------- d-----w- c:\windows\NLDRV
2010-08-31 10:30 . 2010-08-31 10:30 -------- d-----w- c:\windows\LastGood
2010-08-31 09:42 . 2010-08-31 09:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-31 09:42 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 09:42 . 2010-08-31 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-31 09:42 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 09:42 . 2010-08-31 09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-31 09:20 . 2004-08-03 19:26 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-08-31 09:19 . 2004-08-03 17:01 57399 -c--a-w- c:\windows\system32\dllcache\cplexe.exe
2010-08-31 09:10 . 2001-08-17 06:43 27165 ----a-w- c:\windows\system32\drivers\fetnd5.sys
2010-08-31 09:05 . 2001-08-23 06:30 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-08-31 09:05 . 2001-08-23 06:30 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-08-31 09:05 . 2001-08-23 06:30 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-08-31 09:05 . 2001-08-23 06:30 13312 ----a-w- c:\windows\system32\irclass.dll
2010-08-31 08:28 . 2010-08-31 08:28 -------- d-----w- c:\program files\MySQL
2010-08-31 08:28 . 2010-08-31 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\MySQL
2010-08-30 14:18 . 2010-08-30 14:18 -------- d-----w- c:\windows\IIS Temporary Compressed Files
2010-08-30 14:16 . 2001-08-23 06:30 6656 -c--a-w- c:\windows\system32\dllcache\iissync.exe
2010-08-30 01:20 . 2010-08-30 14:18 -------- d-----w- C:\Inetpub
2010-08-03 22:36 . 2010-08-03 22:36 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b375d59-n\msvcp71.dll
2010-08-03 22:36 . 2010-08-03 22:36 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b375d59-n\jmc.dll
2010-08-03 22:35 . 2010-08-03 22:36 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b375d59-n\msvcr71.dll
2010-08-03 22:35 . 2010-08-03 22:35 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-212f44ee-n\decora-sse.dll
2010-08-03 22:35 . 2010-08-03 22:35 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-212f44ee-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-31 09:15 . 2010-01-28 11:32 25496 ----a-w- c:\windows\system32\emptyregdb.dat
2010-08-30 14:23 . 2003-12-31 18:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-21 19:46 . 2004-01-11 14:32 70496 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-27 08:19 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a23.tmp
2010-06-27 08:15 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4bda.tmp
2010-06-27 08:11 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b93.tmp
2010-06-27 08:06 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4ab8.tmp
2010-06-27 08:02 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a71.tmp
2010-06-27 07:58 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP498b.tmp
2010-06-27 07:53 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4d9d.tmp
2010-06-27 07:49 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4e46.tmp
2010-06-27 07:44 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4c8e.tmp
2010-06-27 07:39 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4cac.tmp
2010-06-27 07:35 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4348.tmp
2010-06-27 07:30 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4316.tmp
2010-06-27 07:26 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP41eb.tmp
2010-06-27 07:22 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP417c.tmp
2010-06-27 07:18 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4302.tmp
2010-06-27 07:14 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b75.tmp
2010-06-27 07:10 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b4d.tmp
2010-06-27 07:06 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b9f.tmp
2010-06-27 06:56 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4ae9.tmp
2010-06-27 06:52 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a22.tmp
2010-06-27 06:48 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP49bd.tmp
2010-06-27 06:44 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4aaf.tmp
2010-06-27 06:39 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4aae.tmp
2010-06-27 06:35 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a21.tmp
2010-06-27 06:30 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a4b.tmp
2010-06-27 06:26 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4959.tmp
2010-06-27 06:21 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a2b.tmp
2010-06-27 06:17 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4ac2.tmp
2010-06-27 06:12 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4afe.tmp
2010-06-27 06:08 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4c72.tmp
2010-06-27 06:04 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4c84.tmp
2010-06-27 05:59 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4bd9.tmp
2010-06-27 05:55 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP41fe.tmp
2010-06-27 05:51 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP410d.tmp
2010-06-27 05:46 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP43de.tmp
2010-06-27 05:42 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP45bf.tmp
2010-06-27 05:38 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP43f3.tmp
2010-06-27 05:34 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4081.tmp
2010-06-27 05:29 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP3fa5.tmp
2010-06-27 05:25 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP408c.tmp
2010-06-27 05:20 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP41b8.tmp
2010-06-27 05:16 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP41ea.tmp
2010-06-27 05:12 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP41c3.tmp
2010-06-27 05:08 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP3ff5.tmp
2010-06-27 05:04 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP409f.tmp
2010-06-27 04:59 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP423a.tmp
2010-06-27 04:55 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4050.tmp
2010-06-27 04:51 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP404f.tmp
2010-06-27 04:47 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4208.tmp
2010-06-27 04:43 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP3fc4.tmp
2010-06-27 04:39 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4244.tmp
2010-06-27 04:34 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP43b6.tmp
2010-06-27 04:30 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP48b8.tmp
2010-06-27 04:26 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4796.tmp
2010-06-27 04:21 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP47be.tmp
2010-06-27 04:17 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP487c.tmp
2010-06-27 04:13 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP47f0.tmp
2010-06-27 04:09 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP3f2d.tmp
2010-06-27 04:05 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4063.tmp
2010-06-27 04:01 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP42f8.tmp
2010-06-27 03:56 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP3f05.tmp
2010-06-27 03:52 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b9e.tmp
2010-06-27 03:48 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4bbb.tmp
2010-06-27 03:44 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a4a.tmp
2010-06-27 03:40 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b1b.tmp
2010-06-27 03:35 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a86.tmp
2010-06-27 03:30 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4ba7.tmp
2010-06-27 03:26 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4afd.tmp
2010-06-27 03:22 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4acb.tmp
2010-06-27 03:17 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a85.tmp
2010-06-27 03:13 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP40e5.tmp
2010-06-27 03:09 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4136.tmp
2010-06-27 03:05 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4ac1.tmp
2010-06-27 03:01 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP49e5.tmp
2010-06-27 02:56 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4ab7.tmp
2010-06-27 02:52 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4c71.tmp
2010-06-27 02:48 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4d88.tmp
2010-06-27 02:44 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4df6.tmp
2010-06-27 02:39 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4be3.tmp
2010-06-27 02:35 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4c70.tmp
2010-06-27 02:30 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b9d.tmp
2010-06-27 02:26 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP3fc3.tmp
2010-06-27 02:22 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b61.tmp
2010-06-27 02:17 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP40ef.tmp
2010-06-27 02:13 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a3f.tmp
2010-06-27 02:08 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a49.tmp
2010-06-27 02:04 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a5d.tmp
2010-06-27 02:00 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a99.tmp
2010-06-27 01:56 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4b6b.tmp
2010-06-27 01:52 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4ad5.tmp
2010-06-27 01:47 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4c7a.tmp
2010-06-27 01:43 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4aad.tmp
2010-06-27 01:39 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4aa3.tmp
2010-06-27 01:34 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4a67.tmp
2010-06-26 18:29 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP4172.tmp
2010-06-26 18:25 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP426c.tmp
2010-06-26 18:21 . 2004-01-01 00:27 90112 ----a-w- c:\windows\DUMP42ee.tmp
.

------- Sigcheck -------

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
[-] 1814-01-02 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-06 88363]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-06-06 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-01-06 159744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
"Aide"="c:\program files\Tata Photon Whiz\Aide.exe" [2009-03-31 77824]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/29/2010 4:27 PM 110160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/29/2010 4:27 PM 20560]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2004 8:09 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2004-01-01 14:39]

2010-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2004-01-01 14:39]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8l6vxo3y.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://assistmypc.org/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZRxdm894YYIN&ptb=qKZqWM5ELRiGAE.jm_1FBA&psa=&ind=2010041300&ptnrS=ZRxdm894YYIN&si=&st=kwd&n=77cecbd4&searchfor=
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-31 16:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Aide = "c:\program files\Tata Photon Whiz\Aide.exe"??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-1682526488-1708537768-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,73,d7,4f,19,79,80,72,40,a8,19,38,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,73,d7,4f,19,79,80,72,40,a8,19,38,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-08-31 16:17:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-31 10:47

Pre-Run: 6,396,604,416 bytes free
Post-Run: 6,519,259,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 9F640CE5C23ED13AF14A444DFB8B31C4

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:38 PM

Posted 04 September 2010 - 05:18 AM

Hi sreez smile.gif ,

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Combofix has removed MyWebSearch which is a good start but let's continue on from this point. Firefox is still showing the remains of the hijack so please rerun Combofix as below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8l6vxo3y.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL -

RegLock::
[HKEY_USERS\S-1-5-21-1202660629-1682526488-1708537768-500\Software\Microsoft\Internet Explorer\User Preferences]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#3 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:38 AM

Posted 06 September 2010 - 08:10 AM

Dear mOle,

first sorry for a delayed reply. Thanks for helping me out in this log.

I have sad news that these guys decided to format the system. Therefore I had to do and follow the seniors order ph34r.gif

I thought to learn more using this LOG but unfortunately had to give up excl.gif

But will see you guys around again in other topics and forum wub.gif

veriono

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:38 PM

Posted 06 September 2010 - 11:35 AM

No problem, sreez thumbup2.gif

PM me if you want to know what I was doing with the Combofix script.

--------------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users