Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer ramdomly freezes


  • This topic is locked This topic is locked
26 replies to this topic

#1 Yuriy

Yuriy

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 26 September 2010 - 12:53 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 20:30:24,93 on 26.09.2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1049.18.1023.440 [GMT 3:00]

AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
D:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
D:\Program Files\BOINC\boincmgr.exe
D:\Program Files\BOINC\boinctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HouseCall\housecall.bin
C:\Documents and Settings\Administrator\Рабочий стол\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [CAP3ON] c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
mRun: [<NO NAME>]
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [ToolBoxFX] "d:\program files\hewlett-packard\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [boincmgr] "d:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "d:\program files\boinc\boinctray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\5d29~1\4a66~1\60c2~1\canonl~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.07.02-hp&http://www.smb.compaq.com/html/interactive/nx9010/model.html
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254898933899
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38037.0908333333
DPF: {A9D790B6-D4CC-4C48-8525-126DD4FD7DDC} - hxxp://www.iforma.com.ua/system/files/dszucrypto.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - hxxp://www2.incredimail.com/contents/setup/downloader/imloader.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\bz63cntv.default\
FF - plugin: c:\program files\google\google updater\2.4.1739.5352\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-24 28552]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-5-4 129928]
R2 BOINC;BOINC;d:\program files\boinc\boinc.exe [2010-7-1 840448]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-2-12 12672]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-7-23 20328]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-4-30 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-4-30 97032]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-5-12 110920]
R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-9-25 14336]
S2 vvyknsbin;Center Time;c:\windows\system32\svchost.exe -k netsvcs [2002-9-25 14336]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010.sp2\RpcAgentSrv.exe [2010-7-23 93848]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys --> c:\windows\system32\drivers\ultradfg.sys [?]

=============== Created Last 30 ================

2010-09-26 17:19:05 0 d-----w- c:\documents and settings\all users\HF_PCA_1.01.01.0003
2010-09-19 16:10:35 76 ----a-w- C:\fraglist.luar
2010-09-18 17:05:34 0 d-----w- c:\docume~1\admini~1\applic~1\Panda Security
2010-09-18 17:04:58 264 ----a-w- c:\windows\system32\PSUNCpl.dat

==================== Find3M ====================

2010-09-06 09:26:20 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 13:28:18 84174 ----a-w- c:\windows\system32\perfc019.dat
2010-08-12 13:28:18 483582 ----a-w- c:\windows\system32\perfh019.dat
2010-07-22 15:46:11 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 06:19:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 02:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 10:26:58 828160 ----a-w- c:\windows\boinc.scr
2010-06-30 12:33:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-29 15:50:44 41080 ----a-w- C:\GDIPFONTCACHEV1.DAT
2009-10-05 13:40:20 608 --sha-w- c:\windows\system32\winzvprt5.sys
2008-09-07 13:00:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 20:30:57,80 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 30 September 2010 - 07:11 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Yuriy

Yuriy
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 01 October 2010 - 03:17 AM

Hello m0le,

I'm here.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 01 October 2010 - 04:30 PM

Nothing showing on the log so please run Gmer, a rootkit scanner so we can eliminate that (or not)

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 03 October 2010 - 08:08 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 05 October 2010 - 07:50 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 06 October 2010 - 12:03 PM

Reopened at user's request

-----------------------------------------

Please post the log, Yuriy thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#8 Yuriy

Yuriy
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 06 October 2010 - 12:10 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-06 19:53:59
Windows 5.1.2600 Service Pack 3
Running: 50c3hkm0.exe; Driver: C:\DOCUME~1\MARIYA~1.SLY\LOCALS~1\Temp\awldypow.sys


---- System - GMER 1.0.15 ----

INT 0x06 \??\C:\WINDOWS\System32\haspnt.sys (Windows 2000 HASP-Emu Driver/Sable Crack Laboratory) B9A5383B
INT 0x0E \??\C:\WINDOWS\System32\haspnt.sys (Windows 2000 HASP-Emu Driver/Sable Crack Laboratory) B9A53780

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF728B360, 0x24BB1D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1356] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] vvyknsbin <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0L\0002\0T\0P\0) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0T\0P\0) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0P\0o\0E\0) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\37\4@\4O\4<\4>\49\4 \0?\0040\4@\0040\4;\4;\0045\4;\4L\4=\4K\49\4 \0?\4>\4@\4B\4 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0I\0P\0) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0?\4;\0040\4=\48\4@\4>\0042\4I\48\4:\0040\4 \0?\0040\4:\0045\4B\4>\0042\4 1?2?
Reg HKLM\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries\{249d9145-16c6-487e-ad06-e834e566f5bd}@\20\4B\4@\48\0041\4C\4B\4K\4 \0E\4@\0040\4=\0045\4=\48\4O\4 \0004\0040\4=\4=\4K\4E\4 33
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin@DisplayName Center Time
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin@Description ????????????? ????? ????????? ? ????????? ?????? ??? ??????? ? ?????????? ?? ?????????? ???????????? ????????, ????????????, ???????????? ? ????????. ????? ????????? ?????? ?????? ?????? Windows-?????????? ????? ???????? ???????????. ??? ?????????? ?????? ?????? ????????? ?? ??? ?????? ?? ?????? ???? ????????.
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\vvyknsbin\Parameters@ServiceDll C:\WINDOWS\system32\skjvg.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0L\0002\0T\0P\0) 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0T\0P\0) 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0P\0o\0E\0) 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\37\4@\4O\4<\4>\49\4 \0?\0040\4@\0040\4;\4;\0045\4;\4L\4=\4K\49\4 \0?\4>\4@\4B\4 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0I\0P\0) 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0?\4;\0040\4=\48\4@\4>\0042\4I\48\4:\0040\4 \0?\0040\4:\0045\4B\4>\0042\4 1?2?
Reg HKLM\SYSTEM\ControlSet002\Services\SysmonLog\Log Queries\{249d9145-16c6-487e-ad06-e834e566f5bd}@\20\4B\4@\48\0041\4C\4B\4K\4 \0E\4@\0040\4=\0045\4=\48\4O\4 \0004\0040\4=\4=\4K\4E\4 33
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin@DisplayName Center Time
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin@Description ????????????? ????? ????????? ? ????????? ?????? ??? ??????? ? ?????????? ?? ?????????? ???????????? ????????, ????????????, ???????????? ? ????????. ????? ????????? ?????? ?????? ?????? Windows-?????????? ????? ???????? ???????????. ??? ?????????? ?????? ?????? ????????? ?? ??? ?????? ?? ?????? ???? ????????.
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vvyknsbin\Parameters@ServiceDll C:\WINDOWS\system32\skjvg.dll

---- EOF - GMER 1.0.15 ----


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 06 October 2010 - 02:31 PM

We have a rootkit on board which we need to remove

Please run Combofix, this is a powerful tool so read the following carefully.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 Yuriy

Yuriy
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 07 October 2010 - 03:47 AM

ComboFix 10-10-06.02 - Administrator 07.10.2010 11:28:12.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1049.18.1023.486 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Мои документы\Завантаження\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\mariya.slyusar\
c:\documents and settings\mariya.slyusar\Мои документы\Readiris.DUS
c:\windows\system32\spool\prtprocs\w32x86\CNMPP3A.DLL
c:\windows\system32\spool\prtprocs\w32x86\CNMPP5y.DLL

.
((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-06 16:53 . 2010-10-06 16:53 -------- d-----w- C:\Freezes
2010-09-27 07:37 . 2010-09-27 07:37 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2010-09-27 06:50 . 2010-09-27 06:50 -------- d-----w- c:\program files\uTorrent
2010-09-27 06:49 . 2010-09-27 08:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-09-27 06:44 . 2001-10-19 18:05 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-09-26 18:21 . 2010-09-26 18:24 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-09-26 17:56 . 2010-09-26 17:56 -------- d-----w- c:\program files\ESET
2010-09-26 17:37 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-20 07:30 . 2010-09-20 07:30 503808 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-383d69f1-n\msvcp71.dll
2010-09-20 07:30 . 2010-09-20 07:30 499712 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-383d69f1-n\jmc.dll
2010-09-20 07:30 . 2010-09-20 07:30 348160 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-383d69f1-n\msvcr71.dll
2010-09-20 07:30 . 2010-09-20 07:30 12800 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4e42ffb9-n\decora-d3d.dll
2010-09-20 07:30 . 2010-09-20 07:30 61440 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4e42ffb9-n\decora-sse.dll
2010-09-18 17:18 . 2010-09-18 17:18 284646 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{212D202D-487D-49C4-8A76-4D3BB91B8471}\BOINCMGRLink_B65C4A4D2B2A46CCA2D918164C6297B8.exe
2010-09-18 17:18 . 2010-09-18 17:18 284646 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{212D202D-487D-49C4-8A76-4D3BB91B8471}\ARPPRODUCTICON.exe
2010-09-18 17:05 . 2010-09-18 17:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Panda Security
2010-09-18 16:53 . 2010-09-18 16:53 -------- d-----w- c:\program files\Common Files\Java
2010-09-18 16:29 . 2010-09-18 16:29 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-47dc7955-n\msvcp71.dll
2010-09-18 16:29 . 2010-09-18 16:29 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-47dc7955-n\jmc.dll
2010-09-18 16:29 . 2010-09-18 16:29 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-47dc7955-n\msvcr71.dll
2010-09-18 16:29 . 2010-09-18 16:29 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3cd6346e-n\decora-sse.dll
2010-09-18 16:29 . 2010-09-18 16:29 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3cd6346e-n\decora-d3d.dll
2010-09-16 13:40 . 2010-09-17 13:26 108696 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 05:13 . 2008-11-19 07:32 1 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-10-05 12:18 . 2009-05-12 11:16 -------- d-----w- c:\program files\iBank2UA - АКБ Укрсоцбанк
2010-10-05 12:17 . 2009-08-13 11:41 -------- d-----w- c:\program files\iBank2UA - РАЙФФАЙЗЕН БАНК АВАЛЬ
2010-10-04 12:17 . 2010-02-03 13:48 -------- d-----w- c:\program files\ARM ZVIT 1
2010-09-26 19:01 . 2010-07-21 07:10 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-26 18:17 . 2010-05-18 13:18 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-26 17:01 . 2010-07-23 10:54 2267 ----a-w- c:\documents and settings\All Users\Application Data\xml13.tmp
2010-09-26 17:01 . 2010-07-23 10:54 13289 ----a-w- c:\documents and settings\All Users\Application Data\xml12.tmp
2010-09-26 17:01 . 2010-07-23 10:53 5831 ----a-w- c:\documents and settings\All Users\Application Data\xml11.tmp
2010-09-18 16:53 . 2010-04-02 10:30 -------- d-----w- c:\program files\Java
2010-09-17 11:32 . 2006-07-31 13:19 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 13:28 . 2002-09-25 12:00 84174 ----a-w- c:\windows\system32\perfc019.dat
2010-08-12 13:28 . 2002-09-25 12:00 483582 ----a-w- c:\windows\system32\perfh019.dat
2010-07-27 08:30 . 2010-07-27 08:30 2316 ----a-w- c:\documents and settings\All Users\Application Data\xml1D.tmp
2010-07-27 08:30 . 2010-07-27 08:30 14761 ----a-w- c:\documents and settings\All Users\Application Data\xml1C.tmp
2010-07-27 08:30 . 2010-07-27 08:30 10390 ----a-w- c:\documents and settings\All Users\Application Data\xml1B.tmp
2010-07-26 13:26 . 2010-07-26 13:25 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-26 13:26 . 2010-07-26 13:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-23 11:50 . 2010-07-23 11:50 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-07-23 11:50 . 2010-07-23 11:50 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-07-23 11:50 . 2010-07-23 11:50 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-07-23 11:50 . 2010-07-23 11:50 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-07-23 11:02 . 2010-07-23 11:02 2316 ----a-w- c:\documents and settings\All Users\Application Data\xml21.tmp
2010-07-23 11:02 . 2010-07-23 11:02 14761 ----a-w- c:\documents and settings\All Users\Application Data\xml20.tmp
2010-07-23 11:02 . 2010-07-23 11:02 10390 ----a-w- c:\documents and settings\All Users\Application Data\xml1F.tmp
2010-07-23 10:26 . 2010-06-24 08:30 926568 ----a-w- c:\documents and settings\All Users\Application Data\Soluto\Installer\SolutoInstaller.exe
2010-07-23 10:16 . 2010-07-23 10:16 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618eb2d3-n\msvcp71.dll
2010-07-23 10:16 . 2010-07-23 10:16 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618eb2d3-n\jmc.dll
2010-07-23 10:16 . 2010-07-23 10:16 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618eb2d3-n\msvcr71.dll
2010-07-23 10:16 . 2010-07-23 10:16 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-70217ccc-n\decora-sse.dll
2010-07-23 10:16 . 2010-07-23 10:16 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-70217ccc-n\decora-d3d.dll
2010-07-22 15:46 . 2004-03-06 02:20 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 06:19 . 2008-05-05 04:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 07:51 . 2008-10-12 11:39 41080 ----a-w- c:\documents and settings\mariya.slyusar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 07:46 . 2010-06-30 11:39 41080 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-17 02:00 . 2010-05-13 11:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 10:18 . 2010-07-23 10:27 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys
2009-10-05 13:40 . 2009-10-05 13:40 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAP3ON"="c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE" [2002-07-30 22528]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
"ToolBoxFX"="d:\program files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"boincmgr"="d:\program files\BOINC\boincmgr.exe" [2010-07-01 4862720]
"boinctray"="d:\program files\BOINC\boinctray.exe" [2010-07-01 58112]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\ѓўҐ Ґо\ЏаЈал\ЂўвЈагЄ\
ЋЄ ббвпЁп Canon LASER SHOT LBP-1120.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAP3LAK.EXE [2002-7-19 30720]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Окно состояния Canon LASER SHOT LBP-1120.LNK]
path=c:\documents and settings\All Users\Главное меню\Программы\Автозагрузка\Окно состояния Canon LASER SHOT LBP-1120.LNK
backup=c:\windows\pss\Окно состояния Canon LASER SHOT LBP-1120.LNKCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAP3ON]
2002-07-30 06:00 22528 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 19:17 49152 ----a-w- d:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2002-10-16 10:24 47104 ----a-r- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-12-11 09:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\hp_LJM1522_full_solution_EMEA4\\setup\\hppniprint01.exe"=
"c:\\hp_LJM1522_full_solution_EMEA4\\setup\\hppniprint64.exe"=
"c:\\hp_LJM1522_full_solution_EMEA4\\setup\\hppnicifs01.exe"=
"c:\\hp_LJM1522_full_solution_EMEA4\\setup\\LaunchApp.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP2\\RpcAgentSrv.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP2\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Удаленное управление Windows

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [26.09.2010 20:37 28552]
R2 BOINC;BOINC;d:\program files\BOINC\boinc.exe [01.07.2010 13:27 840448]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [23.07.2010 13:27 20328]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [30.03.2010 11:16 1107336]
R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25.09.2002 15:00 14336]
S2 vvyknsbin;Center Time;c:\windows\system32\svchost.exe -k netsvcs [25.09.2002 15:00 14336]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe [23.07.2010 11:39 93848]
S3 ultradfg;ultradfg;c:\windows\system32\DRIVERS\ultradfg.sys --> c:\windows\system32\DRIVERS\ultradfg.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vvyknsbin
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-05-17 19:13]

2010-06-17 c:\windows\Tasks\Defraggler Volume D Task.job
- c:\program files\Defraggler\df.exe [2010-05-17 19:13]

2010-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-11 09:44]

2010-10-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 18:40]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A9D790B6-D4CC-4C48-8525-126DD4FD7DDC} - hxxp://www.iforma.com.ua/system/files/dszucrypto.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bz63cntv.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1739.5352\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\System32\l3codeca.acm

- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\docume~1\ADMINI~1\LOCALS~1\Temp\catchme.dll
.
Completion time: 2010-10-07 11:36:16
ComboFix-quarantined-files.txt 2010-10-07 08:36

Pre-Run: 6966206464 байт свободно
Post-Run: 6926499840 байт свободно

- - End Of File - - A513A00E8685AFFCCBC4832613F8845C


#11 Yuriy

Yuriy
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 07 October 2010 - 05:12 AM

One remark is that this log above has been produced after second ComboFix run, as first one wasn't successful because computer completely froze at log generation stage and I had to restart it and start over..

Edited by Yuriy, 07 October 2010 - 07:38 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 07 October 2010 - 05:41 PM

Please rerun Combofix, as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
NetSvc::
vvyknsbin

Driver::
vvyknsbin


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe


Now please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 08 October 2010 - 09:24 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#14 Yuriy

Yuriy
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 09 October 2010 - 11:41 AM

ComboFix 10-10-08.01 - Administrator 09.10.2010 19:24:28.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1049.18.1023.514 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Рабочий стол\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Рабочий стол\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VVYKNSBIN
-------\Service_vvyknsbin


((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 )))))))))))))))))))))))))))))))
.

2010-10-06 16:53 . 2010-10-06 16:53 -------- d-----w- C:\Freezes
2010-09-27 07:37 . 2010-09-27 07:37 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2010-09-27 06:50 . 2010-09-27 06:50 -------- d-----w- c:\program files\uTorrent
2010-09-27 06:49 . 2010-09-27 08:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-09-27 06:44 . 2001-10-19 18:05 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-09-26 18:21 . 2010-09-26 18:24 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-09-26 17:56 . 2010-09-26 17:56 -------- d-----w- c:\program files\ESET
2010-09-26 17:37 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-20 07:30 . 2010-09-20 07:30 503808 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-383d69f1-n\msvcp71.dll
2010-09-20 07:30 . 2010-09-20 07:30 499712 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-383d69f1-n\jmc.dll
2010-09-20 07:30 . 2010-09-20 07:30 348160 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-383d69f1-n\msvcr71.dll
2010-09-20 07:30 . 2010-09-20 07:30 12800 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4e42ffb9-n\decora-d3d.dll
2010-09-20 07:30 . 2010-09-20 07:30 61440 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4e42ffb9-n\decora-sse.dll
2010-09-18 17:18 . 2010-09-18 17:18 284646 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{212D202D-487D-49C4-8A76-4D3BB91B8471}\BOINCMGRLink_B65C4A4D2B2A46CCA2D918164C6297B8.exe
2010-09-18 17:18 . 2010-09-18 17:18 284646 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{212D202D-487D-49C4-8A76-4D3BB91B8471}\ARPPRODUCTICON.exe
2010-09-18 17:05 . 2010-09-18 17:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Panda Security
2010-09-18 16:53 . 2010-09-18 16:53 -------- d-----w- c:\program files\Common Files\Java
2010-09-18 16:29 . 2010-09-18 16:29 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-47dc7955-n\msvcp71.dll
2010-09-18 16:29 . 2010-09-18 16:29 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-47dc7955-n\jmc.dll
2010-09-18 16:29 . 2010-09-18 16:29 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-47dc7955-n\msvcr71.dll
2010-09-18 16:29 . 2010-09-18 16:29 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3cd6346e-n\decora-sse.dll
2010-09-18 16:29 . 2010-09-18 16:29 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3cd6346e-n\decora-d3d.dll
2010-09-16 13:40 . 2010-09-17 13:26 108696 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 12:18 . 2008-11-19 07:32 1 ----a-w- c:\documents and settings\mariya.slyusar\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-10-08 05:59 . 2002-09-25 12:00 84174 ----a-w- c:\windows\system32\perfc019.dat
2010-10-08 05:59 . 2002-09-25 12:00 483582 ----a-w- c:\windows\system32\perfh019.dat
2010-10-05 12:18 . 2009-05-12 11:16 -------- d-----w- c:\program files\iBank2UA - АКБ Укрсоцбанк
2010-10-05 12:17 . 2009-08-13 11:41 -------- d-----w- c:\program files\iBank2UA - РАЙФФАЙЗЕН БАНК АВАЛЬ
2010-10-04 12:17 . 2010-02-03 13:48 -------- d-----w- c:\program files\ARM ZVIT 1
2010-09-26 19:01 . 2010-07-21 07:10 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-26 18:17 . 2010-05-18 13:18 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-26 17:01 . 2010-07-23 10:54 2267 ----a-w- c:\documents and settings\All Users\Application Data\xml13.tmp
2010-09-26 17:01 . 2010-07-23 10:54 13289 ----a-w- c:\documents and settings\All Users\Application Data\xml12.tmp
2010-09-26 17:01 . 2010-07-23 10:53 5831 ----a-w- c:\documents and settings\All Users\Application Data\xml11.tmp
2010-09-18 16:53 . 2010-04-02 10:30 -------- d-----w- c:\program files\Java
2010-09-17 11:32 . 2006-07-31 13:19 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-27 08:30 . 2010-07-27 08:30 2316 ----a-w- c:\documents and settings\All Users\Application Data\xml1D.tmp
2010-07-27 08:30 . 2010-07-27 08:30 14761 ----a-w- c:\documents and settings\All Users\Application Data\xml1C.tmp
2010-07-27 08:30 . 2010-07-27 08:30 10390 ----a-w- c:\documents and settings\All Users\Application Data\xml1B.tmp
2010-07-26 13:26 . 2010-07-26 13:25 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-26 13:26 . 2010-07-26 13:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-23 11:50 . 2010-07-23 11:50 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-07-23 11:50 . 2010-07-23 11:50 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-07-23 11:50 . 2010-07-23 11:50 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-07-23 11:50 . 2010-07-23 11:50 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-07-23 11:02 . 2010-07-23 11:02 2316 ----a-w- c:\documents and settings\All Users\Application Data\xml21.tmp
2010-07-23 11:02 . 2010-07-23 11:02 14761 ----a-w- c:\documents and settings\All Users\Application Data\xml20.tmp
2010-07-23 11:02 . 2010-07-23 11:02 10390 ----a-w- c:\documents and settings\All Users\Application Data\xml1F.tmp
2010-07-23 10:26 . 2010-06-24 08:30 926568 ----a-w- c:\documents and settings\All Users\Application Data\Soluto\Installer\SolutoInstaller.exe
2010-07-23 10:16 . 2010-07-23 10:16 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618eb2d3-n\msvcp71.dll
2010-07-23 10:16 . 2010-07-23 10:16 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618eb2d3-n\jmc.dll
2010-07-23 10:16 . 2010-07-23 10:16 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618eb2d3-n\msvcr71.dll
2010-07-23 10:16 . 2010-07-23 10:16 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-70217ccc-n\decora-sse.dll
2010-07-23 10:16 . 2010-07-23 10:16 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-70217ccc-n\decora-d3d.dll
2010-07-22 15:46 . 2004-03-06 02:20 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 06:19 . 2008-05-05 04:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 07:51 . 2008-10-12 11:39 41080 ----a-w- c:\documents and settings\mariya.slyusar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 07:46 . 2010-06-30 11:39 41080 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-17 02:00 . 2010-05-13 11:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2009-10-05 13:40 . 2009-10-05 13:40 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAP3ON"="c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE" [2002-07-30 22528]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
"ToolBoxFX"="d:\program files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"boincmgr"="d:\program files\BOINC\boincmgr.exe" [2010-07-01 4862720]
"boinctray"="d:\program files\BOINC\boinctray.exe" [2010-07-01 58112]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\ѓўҐ Ґо\ЏаЈал\ЂўвЈагЄ\
ЋЄ ббвпЁп Canon LASER SHOT LBP-1120.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAP3LAK.EXE [2002-7-19 30720]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Окно состояния Canon LASER SHOT LBP-1120.LNK]
path=c:\documents and settings\All Users\Главное меню\Программы\Автозагрузка\Окно состояния Canon LASER SHOT LBP-1120.LNK
backup=c:\windows\pss\Окно состояния Canon LASER SHOT LBP-1120.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAP3ON]
2002-07-30 06:00 22528 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 19:17 49152 ----a-w- d:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2002-10-16 10:24 47104 ----a-r- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-12-11 09:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\hp_LJM1522_full_solution_EMEA4\\setup\\hppniprint01.exe"=
"c:\\hp_LJM1522_full_solution_EMEA4\\setup\\hppniprint64.exe"=
"c:\\hp_LJM1522_full_solution_EMEA4\\setup\\hppnicifs01.exe"=
"c:\\hp_LJM1522_full_solution_EMEA4\\setup\\LaunchApp.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP2\\RpcAgentSrv.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP2\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Удаленное управление Windows

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [26.09.2010 20:37 28552]
R2 BOINC;BOINC;d:\program files\BOINC\boinc.exe [01.07.2010 13:27 840448]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [23.07.2010 13:27 20328]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [30.03.2010 11:16 1107336]
R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25.09.2002 15:00 14336]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe [23.07.2010 11:39 93848]
S3 ultradfg;ultradfg;c:\windows\system32\DRIVERS\ultradfg.sys --> c:\windows\system32\DRIVERS\ultradfg.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-05-17 19:13]

2010-06-17 c:\windows\Tasks\Defraggler Volume D Task.job
- c:\program files\Defraggler\df.exe [2010-05-17 19:13]

2010-10-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-11 09:44]

2010-10-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 18:40]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A9D790B6-D4CC-4C48-8525-126DD4FD7DDC} - hxxp://www.iforma.com.ua/system/files/dszucrypto.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bz63cntv.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1739.5352\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\System32\l3codeca.acm

- - - - - - - > 'explorer.exe'(2476)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\System32\l3codeca.acm
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CAP3RSK.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1005MC.EXE
c:\windows\System32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
.
**************************************************************************
.
Completion time: 2010-10-09 19:39:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-09 16:39
ComboFix2.txt 2010-10-07 08:36

Pre-Run: 6577926144 байт свободно
Post-Run: 6525300736 байт свободно

- - End Of File - - CDCAD8792CEEB3D6B7404D8B33A5B24E


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:46 PM

Posted 09 October 2010 - 12:03 PM

The PC looks better on the logs. How is it performing generally?

Please run it through the ESET online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users