Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Google Testing Removal of WWW Subdomain from Search Results

Featured Deal: Get 95% off The Ultimate MCSE Certification Training Bundle

combofix report

Started by ident , Sep 07 2010 03:02 PM

This topic is locked

2 replies to this topic

#1 ident

Members
109 posts
OFFLINE

Gender:Male
Location:Cambridge
Local time:02:48 AM

Posted 07 September 2010 - 03:02 PM

EDIT Moved to apprpriate forum. Virus, Trojan, Spyware, and Malware Removal Logs

it suggested i posted here

what happened???

ComboFix 10-09-07.01 - Owner 07/09/2010 20:49:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.748 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Firefox\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\asdkasdakl.exe
c:\asdkasdakl.exe\asdkasdakl.exe
c:\asdkasdakl.exe\config.bin
c:\windows\system32\LGUICOM.DLL

Infected copy of c:\windows\system32\drivers\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-08 01:54 . 2010-09-08 01:54 -------- d-----w- c:\windows\system32\xircom
2010-09-08 01:54 . 2010-09-08 01:54 -------- d-----w- c:\windows\system32\wbem\snmp
2010-09-08 01:54 . 2010-09-08 01:54 -------- d-----w- c:\windows\system32\oobe
2010-09-08 01:54 . 2010-09-08 01:54 -------- d-----w- c:\program files\microsoft frontpage
2010-09-07 23:54 . 2010-09-07 23:54 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-09-07 23:54 . 2010-09-07 23:54 -------- d-----w- c:\program files\Microsoft.NET
2010-09-07 23:54 . 2010-09-07 23:54 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-09-07 23:54 . 2010-09-07 23:54 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-09-07 23:53 . 2010-09-07 23:53 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-09-07 23:52 . 2010-09-07 23:52 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-09-07 23:52 . 2010-09-07 23:54 -------- d-----w- c:\windows\SHELLNEW
2010-09-07 23:51 . 2010-09-07 23:51 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Microsoft Help
2010-09-07 23:51 . 2010-09-07 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-07 23:50 . 2010-09-07 23:50 -------- d-----r- C:\MSOCache
2010-09-07 06:17 . 2010-09-07 06:17 -------- d-----w- c:\documents and settings\Istria\Local Settings\Application Data\Mozilla
2010-09-07 03:26 . 2010-09-07 03:26 -------- d-----w- c:\program files\Drug Wars
2010-09-07 03:25 . 2010-09-07 03:26 -------- d-----w- C:\wamp
2010-09-07 03:22 . 2010-09-07 03:22 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\DX_Coders
2010-09-07 03:20 . 2010-09-07 03:24 -------- d-----w- c:\program files\DX Coders
2010-09-07 02:45 . 2010-09-07 02:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Opera
2010-09-07 02:45 . 2010-09-07 02:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-09-07 02:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 02:45 . 2010-09-07 02:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-07 02:45 . 2010-09-07 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-07 02:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-07 02:35 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-09-07 02:28 . 2010-08-12 08:00 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-09-07 02:28 . 2010-06-08 16:10 790528 ----a-w- c:\windows\system32\xvidcore.dll
2010-09-07 02:28 . 2010-06-08 16:10 134144 ----a-w- c:\windows\system32\xvidvfw.dll
2010-09-07 02:28 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-09-07 02:25 . 2010-09-07 02:25 -------- d-----w- c:\program files\Opera
2010-09-07 02:24 . 2010-09-07 23:37 -------- d-----w- c:\documents and settings\Owner\Tracing
2010-09-07 02:21 . 2010-09-07 23:54 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-09-07 02:21 . 2010-09-07 02:21 -------- d-----w- c:\program files\Microsoft
2010-09-07 02:21 . 2010-09-07 02:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-09-07 02:20 . 2010-09-07 02:22 -------- d-----w- c:\program files\Windows Live
2010-09-07 02:10 . 2010-09-07 02:10 -------- d-----w- c:\program files\Common Files\Windows Live
2010-09-07 02:09 . 2010-09-07 02:34 -------- d-----w- c:\program files\The KMPlayer
2010-09-07 02:02 . 2009-12-09 22:31 20992 ----a-w- c:\documents and settings\Owner\Application Data\Thunderbird\Profiles\l8e71g01.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\WINNT-32\MinimizeToTrayPlus.dll
2010-09-07 01:44 . 2010-09-07 01:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Thunderbird
2010-09-07 01:44 . 2010-09-07 01:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Thunderbird
2010-09-07 01:44 . 2010-09-07 01:44 -------- d-----w- c:\program files\ERUNT
2010-09-07 01:44 . 2010-09-07 01:44 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-07 01:31 . 2010-09-07 01:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Notepad++
2010-09-07 01:31 . 2010-09-07 01:31 -------- d-----w- c:\program files\Notepad++
2010-09-07 01:19 . 2010-09-07 01:19 -------- d-----w- c:\program files\MRU-Blaster
2010-09-07 00:58 . 2010-09-07 00:58 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\VS Revo Group
2010-09-07 00:58 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-09-07 00:58 . 2010-09-07 00:58 -------- d-----w- c:\program files\VS Revo Group
2010-09-07 00:48 . 2010-09-07 00:48 -------- d-----w- c:\program files\PowerISO
2010-09-06 17:55 . 2010-03-17 16:35 309248 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\znonpcx7.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
2010-09-06 17:44 . 2010-09-07 01:18 -------- d-----w- c:\program files\CCleaner
2010-09-06 17:41 . 2010-09-06 17:41 -------- d-----w- c:\windows\Sun
2010-09-06 17:36 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-06 17:36 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-06 17:36 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-06 17:36 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-06 17:36 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-06 17:36 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-06 17:36 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-09-06 17:36 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-06 17:36 . 2010-09-06 17:36 -------- d-----w- c:\program files\Alwil Software
2010-09-06 17:36 . 2010-09-06 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-06 17:23 . 2010-09-06 17:23 -------- d-----w- c:\windows\Options
2010-09-06 17:23 . 2010-09-06 17:23 -------- d-----w- C:\SWSetup
2010-09-06 17:23 . 2006-06-21 10:42 577536 ------w- c:\windows\soundman.exe
2010-09-06 17:23 . 2006-06-21 10:35 10527744 ------w- c:\windows\system32\RTLCPL.exe
2010-09-06 17:23 . 2006-06-08 13:00 143360 ------w- c:\windows\system32\RtlCPAPI.dll
2010-09-06 17:23 . 2005-07-15 21:48 40960 ------w- c:\windows\system32\ChCfg.exe
2010-09-06 17:23 . 2008-04-14 04:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-09-06 17:17 . 2010-09-06 17:17 -------- d-----w- c:\program files\Realtek
2010-09-06 17:15 . 2010-09-06 17:15 7097120 ----a-w- c:\documents and settings\Owner\Application Data\DeviceDoctorSoftware\DeviceDoctor\updates\1.0.0.1\DeviceDoctor_Setup.exe
2010-09-06 17:15 . 2010-09-06 17:15 -------- d-----w- c:\documents and settings\Owner\Application Data\DeviceDoctorSoftware
2010-09-06 17:15 . 2010-09-06 17:15 -------- d-----w- c:\program files\Device Doctor
2010-09-06 17:06 . 2010-09-07 01:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\eSupport.com
2010-09-06 17:00 . 2009-11-11 22:23 27744 ----a-w- c:\windows\system32\drivers\point32.sys
2010-09-06 16:56 . 2010-09-06 17:28 -------- dc----w- c:\windows\system32\DRVSTORE
2010-09-06 16:47 . 2010-09-06 16:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Innovative Solutions
2010-09-06 16:47 . 2010-09-06 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-09-06 16:34 . 2010-09-07 02:24 35200 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-06 16:34 . 2010-09-07 01:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-06 16:33 . 2010-09-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-09-06 16:33 . 2010-09-06 16:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2010-09-06 16:25 . 2010-09-06 16:25 -------- d-----w- c:\program files\uTorrent
2010-09-06 16:25 . 2010-09-08 01:22 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-09-06 05:36 . 2010-09-06 05:36 -------- d-----w- c:\program files\Recuva

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 00:22 . 2010-09-05 22:11 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-09-08 00:21 . 2010-09-05 16:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-07 23:55 . 2010-09-05 16:20 -------- d-----w- c:\program files\MSBuild
2010-09-07 02:31 . 2010-09-05 16:23 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-09-07 01:13 . 2010-09-06 17:24 -------- d-----w- c:\program files\MouseWare
2010-09-06 17:28 . 2010-09-06 17:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2010-09-06 17:24 . 2010-09-06 17:24 -------- d-----w- c:\program files\Common Files\Logitech
2010-09-06 17:24 . 2010-09-06 17:22 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-06 17:24 . 2010-09-06 17:24 -------- d-----w- c:\program files\LSI SoftModem
2010-09-06 17:22 . 2010-09-06 17:22 -------- d-----w- c:\program files\Realtek AC97
2010-09-06 05:24 . 2010-09-05 22:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-05 22:12 . 2010-09-05 22:12 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-09-05 22:11 . 2010-09-05 22:11 -------- d-----w- c:\program files\Windows Media Connect 2
2010-09-05 22:09 . 2010-09-05 22:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-05 22:08 . 2010-09-05 22:08 -------- d-----w- c:\program files\MSXML 4.0
2010-09-05 20:12 . 2010-09-05 20:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-09-05 20:12 . 2010-09-05 20:12 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-09-05 17:53 . 2010-09-05 17:52 -------- d-----w- c:\program files\ATI
2010-09-05 17:52 . 2010-09-05 17:52 -------- d-----w- c:\program files\ATI Technologies
2010-09-05 17:23 . 2010-09-05 17:23 0 ----a-w- c:\windows\nsreg.dat
2010-09-05 17:20 . 2010-09-05 17:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-05 17:19 . 2010-09-05 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-09-05 17:19 . 2010-09-05 17:19 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-09-05 17:19 . 2010-09-05 17:19 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-09-05 17:19 . 2010-09-05 17:19 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-09-05 16:31 . 2010-09-05 16:31 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-628d7181-n\decora-sse.dll
2010-09-05 16:31 . 2010-09-05 16:31 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-53be31b1-n\msvcp71.dll
2010-09-05 16:31 . 2010-09-05 16:31 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-53be31b1-n\jmc.dll
2010-09-05 16:31 . 2010-09-05 16:31 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-53be31b1-n\msvcr71.dll
2010-09-05 16:31 . 2010-09-05 16:31 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-628d7181-n\decora-d3d.dll
2010-09-05 16:22 . 2010-09-05 16:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2010-09-05 16:22 . 2010-09-05 16:22 -------- d-----w- c:\program files\Unlocker
2010-09-05 16:22 . 2010-09-05 16:22 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8D166051-2C3B-4BF3-A68D-B11D45F3E1B6}\_6FEFF9B68218417F98F549.exe
2010-09-05 16:22 . 2010-09-05 16:22 -------- d-----w- c:\program files\UPHClean
2010-09-05 16:22 . 2010-09-05 16:22 -------- d-----w- c:\program files\Common Files\Java
2010-09-05 16:22 . 2010-09-05 16:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-09-05 16:22 . 2010-09-05 16:22 -------- d-----w- c:\program files\Java
2010-09-05 16:19 . 2010-09-05 16:19 -------- d-----w- c:\program files\Reference Assemblies
2010-07-09 22:38 . 2010-09-05 17:19 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-09 22:38 . 2010-09-05 17:19 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-09 22:38 . 2010-09-05 17:19 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-09 22:38 . 2010-09-05 17:19 13549568 ----a-w- c:\windows\system32\nvoglnt.dll
2010-07-09 22:38 . 2010-09-05 17:19 10604128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-07-09 22:38 . 2010-09-05 17:19 6343040 ----a-w- c:\windows\system32\nv4_disp.dll
2010-07-09 22:38 . 2010-09-05 17:19 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38 . 2010-09-05 17:19 236136 ----a-w- c:\windows\system32\nvcodins.dll
2010-07-09 22:38 . 2010-09-05 17:19 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-07-09 22:38 . 2010-09-05 17:19 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-09 22:38 . 2010-09-05 17:19 1388544 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 22:38 . 2010-09-05 17:19 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-30 12:23 . 2010-02-11 03:57 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:24 . 2010-02-11 03:58 919040 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:14 . 2010-02-11 03:58 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 14:18 . 2010-02-11 03:58 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-09-05 22:10 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:39 . 2010-02-11 03:57 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

------- Sigcheck -------

[-] 2010-02-11 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-02-11 128512]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
StartUp.lnk - c:\documents and settings\Owner\My Documents\Programming\VBScripts\StartUp.vbs [2010-9-6 2054]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [06/09/2010 12:36 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [06/09/2010 12:36 17744]
S0 amdide1;amdide1;c:\windows\system32\drivers\amdide1.sys [10/02/2010 23:21 9096]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/02/2010 23:01 9472]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [21/01/2010 17:51 30963576]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [06/09/2010 19:58 27064]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
UPHClean REG_MULTI_SZ UPHClean
.
.
------- Supplementary Scan -------
.
uStart Page = https://ssl.scroogle.org/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\znonpcx7.default\
FF - prefs.js: browser.startup.homepage - www.btjunkie.org | www.vbforums.com | www.facebook.com | hxxp://forum.piriform.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\znonpcx7.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-asdkasdakl.exe - c:\asdkasdakl.exe\asdkasdakl.exe
Notify-RailNotification - (no file)
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 20:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1264)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\System32\WScript.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2010-09-07 20:57:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-08 01:57

Pre-Run: 143,114,432,512 bytes free
Post-Run: 143,118,020,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5BBDBD7C66221A1E5C0D5AEB3F35F3EA

Edited by boopme, 07 September 2010 - 08:15 PM.

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 myrti

Sillyberry

Malware Study Hall Admin
33,772 posts
OFFLINE

Gender:Female
Location:At home
Local time:08:48 AM

Posted 13 September 2010 - 12:53 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
In the custom scan box paste the following:
CODE
msconfig
safebootminimal
activex
drivers32
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

Back to top

#3 myrti

Sillyberry

Malware Study Hall Admin
33,772 posts
OFFLINE

Gender:Female
Location:At home
Local time:08:48 AM

Posted 27 September 2010 - 07:15 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti