Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser hijack


  • Please log in to reply
11 replies to this topic

#1 pminthepm

pminthepm

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:ma
  • Local time:08:56 PM

Posted 05 October 2010 - 09:16 PM

DDS (Ver_10-03-17.01) - NTFSx86

i cannot send a post from the infected computer
when i hit the post button it says i have no connection
paul


Run by pm at 16:01:43.95 on Tue 10/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.668 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\pm\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D79559E8-9991-41C5-AA2B-A96EC766F43F} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {D79559E8-9991-41C5-AA2B-A96EC766F43F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm .exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Sonic RecordNow!]
uRun: [Google Update] "c:\documents and settings\pm\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Tgbh_PreA1T] c:\program files\adware pro\Adware_Pro.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [nut] c:\windows\registration\nut.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0"
StartupFolder: c:\docume~1\pm\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: musicmatch.com
Trusted Zone: musicmatch.com
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158200948062
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37953.7924305556
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - hxxp://static.zangocash.com/cab/Zango/ie/bridge-c10.cab?ed523998f03751fac974cc90aa8dc053e586f0a3243e0de6523e897d15ae52065ff091e41f1c76e5c94346b7434244b511f92f8e5e46c214c6cb39486f5640cfda4ab50500bd:5cc5c7607427498c7b09a85ff8aef495
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup141.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: krambst - krambst.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pm\applic~1\mozilla\firefox\profiles\i20ky9f8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z005&form=ZGAADF&q=
FF - component: c:\documents and settings\pm\application data\mozilla\firefox\profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\pm\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-30 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-30 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-30 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-30 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-30 40384]
S2 gupdate1c9866ab8964622;Google Update Service (gupdate1c9866ab8964622);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S2 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys [2008-12-1 13543]
S2 WinToolsSvc;WinTools for IE service; [x]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2006-1-7 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2006-1-7 77104]

=============== Created Last 30 ================

2010-10-28 02:18:41 0 d-----w- c:\docume~1\pm\applic~1\vShare
2010-10-28 02:18:26 0 d-----w- c:\program files\vShare
2010-10-24 07:00:31 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-10-05 19:58:49 0 ----a-w- c:\documents and settings\pm\defogger_reenable
2010-10-05 18:54:37 0 d-----w- c:\docume~1\pm\applic~1\AVP 2009
2010-10-05 18:54:37 0 ----a-w- c:\windows\system32\MSVolumeAP.dll
2010-10-05 18:54:32 0 d-----w- c:\program files\Adware Pro
2010-10-05 12:50:51 0 d-----w- c:\program files\Lavalys
2010-10-05 12:21:04 0 d-----w- c:\program files\Test My Hardware
2010-10-05 02:10:11 49152 ----a-w- c:\windows\system32\DSndUp.exe
2010-10-05 02:10:11 45056 ----a-w- c:\windows\system32\CleanUp.exe
2010-10-05 02:10:11 3744 ----a-w- c:\windows\system32\drivers\smsens.sys
2010-10-05 02:10:11 0 d-----w- c:\program files\Analog Devices
2010-10-05 00:59:21 446464 ----a-r- c:\windows\system32\hhactivex.dll
2010-10-05 00:59:21 328480 ----a-w- c:\windows\system32\ssa3d30.ocx
2010-10-05 00:59:21 176128 ----a-w- c:\windows\system32\RcdScan.dll
2010-10-05 00:59:20 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-10-01 19:02:47 112 ----a-w- c:\docume~1\alluse~1\applic~1\gGSm035g.dat
2010-10-01 18:59:13 0 d-----w- c:\program files\Trend Micro
2010-09-30 12:43:54 38848 ----a-w- c:\windows\avastSS.scr
2010-09-30 12:17:37 10756 ----a-w- c:\windows\system32\krambst.dll
2010-09-30 11:56:59 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-30 09:14:43 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-30 01:56:00 0 ----a-w- c:\windows\Gvaqulexaheqi.bin
2010-09-30 01:55:59 120 ----a-w- c:\windows\Yposuyeganowetu.dat
2010-09-23 17:10:51 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-09-23 17:07:57 0 d-----w- c:\program files\common files\LWS

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4(2)(2).dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2004-12-06 01:28:56 66359 ---ha-w- c:\program files\SmartDraw User's Guide.GID
2003-12-11 00:16:52 117153 ----a-w- c:\program files\INSTALL.LOG
2003-12-11 00:16:51 3692 ----a-w- c:\program files\SDX.DLL
2001-04-23 22:22:40 2387968 ----a-w- c:\program files\SmartDraw.exe
2001-04-19 13:22:12 18133 ----a-w- c:\program files\SmartDraw User's Guide.cnt
2001-04-18 14:03:06 1903017 ----a-w- c:\program files\SmartDraw User's Guide.hlp
2001-04-05 22:15:54 922720 ----a-w- c:\program files\SmartDraw Order Forms.hlp
2001-04-05 22:15:52 1078 ----a-w- c:\program files\SmartDraw Order Forms.cnt
2001-03-24 16:23:02 4398 ----a-w- c:\program files\license.txt
2000-11-14 19:21:26 207715 ----a-w- c:\program files\catalog.exe
2000-11-14 19:19:24 208923 ----a-w- c:\program files\sdupdate.exe
1999-06-25 15:55:30 149504 ----a-w- c:\program files\UnInstal.exe
1998-05-15 13:40:48 141312 ----a-w- c:\program files\SSCE5132.dll
1995-12-13 22:55:48 123904 ----a-w- c:\program files\Vic32.DLL
2010-02-24 00:44:39 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-04-03 01:11:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040220090403\index.dat
2010-05-27 15:03:01 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-05-27 15:03:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-05-27 15:03:01 65536 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:04:15.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 05 October 2010 - 10:19 PM

Hi, pminthepm smile.gif

welcome.gif

Please download and run Rkill by Grinler from any of the following locations (Vista and Win7: to run the application, right click on Rkill and choose Run as an Administrator):
  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 pminthepm

pminthepm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:ma
  • Local time:08:56 PM

Posted 06 October 2010 - 12:22 AM

btw
thanks for your time
pm


ComboFix 10-10-05.01 - pm 10/06/2010 0:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1166 [GMT -4:00]
Running from: c:\documents and settings\pm\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\CEPx1B10.tmp
c:\documents and settings\pm\Application Data\inst.exe
c:\program files\Dynamic Toolbar
c:\program files\INSTALL.LOG
c:\program files\system files
c:\program files\system files\hldata.cdb
c:\program files\system files\kwdata.cdb
c:\program files\winupdates
c:\windows\desktop
c:\windows\desktop\Body Fat Calculator.xls
c:\windows\Downloaded Program Files\Temp
c:\windows\system32\bszip.dll
c:\windows\system32\certstore.dat
c:\windows\system32\krambst.dll
c:\windows\system32\Temp

Infected copy of c:\windows\system32\drivers\FTDISK.SYS was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 )))))))))))))))))))))))))))))))
.

2010-10-28 02:18 . 2010-10-28 02:19 -------- d-----w- c:\documents and settings\pm\Application Data\vShare
2010-10-28 02:18 . 2010-09-30 09:01 -------- d-----w- c:\program files\vShare
2010-10-24 07:00 . 2010-10-04 20:23 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-10-05 20:44 . 2010-10-05 20:44 -------- d-----w- c:\program files\Analog Devices
2010-10-05 18:54 . 2010-10-05 19:32 -------- d-----w- c:\documents and settings\pm\Application Data\AVP 2009
2010-10-05 12:50 . 2010-10-05 12:50 -------- d-----w- c:\program files\Lavalys
2010-10-05 12:21 . 2010-10-05 20:43 -------- d-----w- c:\program files\Test My Hardware
2010-10-05 02:10 . 2003-01-08 15:23 49152 ----a-w- c:\windows\system32\DSndUp.exe
2010-10-05 02:10 . 2002-10-28 15:26 3744 ----a-w- c:\windows\system32\drivers\smsens.sys
2010-10-05 02:10 . 2002-04-17 19:05 45056 ----a-w- c:\windows\system32\CleanUp.exe
2010-10-05 00:59 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2010-10-05 00:59 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2010-10-05 00:59 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-10-04 20:31 . 2010-10-04 20:31 -------- d-----w- c:\program files\Common Files\Skype
2010-10-01 18:59 . 2010-10-01 18:59 -------- d-----w- c:\program files\Trend Micro
2010-10-01 17:57 . 2010-08-30 18:33 43008 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-10-01 17:57 . 2010-08-30 18:33 338944 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-10-01 17:57 . 2010-08-30 18:33 346112 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-10-01 17:57 . 2010-08-30 18:34 1496064 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-30 11:57 . 2010-09-30 11:57 503808 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\msvcp71.dll
2010-09-30 11:57 . 2010-09-30 11:57 499712 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\jmc.dll
2010-09-30 11:57 . 2010-09-30 11:57 348160 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\msvcr71.dll
2010-09-30 11:57 . 2010-09-30 11:57 61440 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-414f2d34-n\decora-sse.dll
2010-09-30 11:57 . 2010-09-30 11:57 12800 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-414f2d34-n\decora-d3d.dll
2010-09-30 11:56 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-30 09:14 . 2010-09-30 09:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-30 08:46 . 2010-09-30 08:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-30 01:56 . 2010-09-30 07:48 0 ----a-w- c:\windows\Gvaqulexaheqi.bin
2010-09-30 01:55 . 2010-09-30 01:55 120 ----a-w- c:\windows\Yposuyeganowetu.dat
2010-09-30 01:55 . 2010-09-30 08:49 -------- d-----w- c:\documents and settings\pm\Local Settings\Application Data\{578C1918-712C-41F7-B5ED-1EE1AEE64AED}
2010-09-23 17:18 . 2010-09-23 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-09-23 17:17 . 2010-09-23 17:17 -------- d-----w- c:\documents and settings\pm\Local Settings\Application Data\LogiShrd
2010-09-23 17:08 . 2010-09-23 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-09-23 17:07 . 2010-09-23 17:07 -------- d-----w- c:\program files\Common Files\LWS
2010-09-23 17:07 . 2010-10-04 20:23 -------- d-----w- c:\program files\Logitech
2010-09-23 17:06 . 2010-10-04 20:23 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-09-16 22:46 . 2010-09-16 22:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-09-08 07:01 . 2010-09-08 07:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-06 05:05 . 2006-07-07 18:27 -------- d-----w- c:\documents and settings\pm\Application Data\Skype
2010-10-06 05:04 . 2003-11-27 18:16 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-10-05 20:44 . 2010-04-02 02:25 -------- d-----w- c:\program files\QuickTime
2010-10-05 20:03 . 2009-10-01 00:25 -------- d-----w- c:\documents and settings\pm\Application Data\skypePM
2010-10-05 16:31 . 2007-01-15 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-05 15:35 . 2003-12-06 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-05 13:28 . 2003-12-06 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-05 02:10 . 2003-10-29 12:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-10-05 01:38 . 2003-10-29 12:34 -------- d-----w- c:\program files\Intel
2010-10-05 00:26 . 2005-10-04 22:17 -------- d-----w- c:\program files\Winamp
2010-10-05 00:26 . 2008-02-10 03:28 -------- d-----w- c:\program files\PowerISO
2010-10-05 00:26 . 2010-07-03 15:41 -------- d-----w- c:\program files\iTunes
2010-10-04 23:35 . 2010-10-01 19:02 112 ----a-w- c:\documents and settings\All Users\Application Data\gGSm035g.dat
2010-10-04 20:36 . 2007-04-12 00:03 -------- d-----w- c:\program files\DellSupport
2010-10-04 20:31 . 2010-08-24 10:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-04 20:31 . 2008-10-07 14:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-04 20:24 . 2010-07-05 20:54 -------- d-----w- c:\documents and settings\pm\Application Data\U3
2010-10-04 20:18 . 2005-10-06 01:26 -------- d-----w- c:\documents and settings\pm\Application Data\Azureus
2010-09-30 12:04 . 2003-10-29 12:27 -------- d-----w- c:\program files\Common Files\Java
2010-09-30 11:56 . 2003-10-29 12:27 -------- d-----w- c:\program files\Java
2010-09-29 23:40 . 2010-09-23 17:10 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-24 10:13 . 2007-01-15 18:18 -------- d-----w- c:\program files\Picasa2
2010-08-24 09:26 . 2010-08-24 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-24 09:26 . 2009-04-03 23:19 -------- d-----w- c:\program files\Alwil Software
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-12-09 01:35 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49 . 2004-12-09 01:35 590848 ----a-w- c:\windows\system32\rpcrt4(2)(2).dll
2010-07-22 05:57 . 2009-04-16 21:54 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2004-12-06 01:28 . 2004-12-05 22:49 66359 ---ha-w- c:\program files\SmartDraw User's Guide.GID
2003-12-11 00:16 . 2003-12-11 00:16 3692 ----a-w- c:\program files\SDX.DLL
2001-04-23 22:22 . 2003-12-11 00:16 2387968 ----a-w- c:\program files\SmartDraw.exe
2001-04-19 13:22 . 2003-12-11 00:16 18133 ----a-w- c:\program files\SmartDraw User's Guide.cnt
2001-04-18 14:03 . 2003-12-11 00:16 1903017 ----a-w- c:\program files\SmartDraw User's Guide.hlp
2001-04-05 22:15 . 2003-12-11 00:16 922720 ----a-w- c:\program files\SmartDraw Order Forms.hlp
2001-04-05 22:15 . 2003-12-11 00:16 1078 ----a-w- c:\program files\SmartDraw Order Forms.cnt
2001-03-24 16:23 . 2003-12-11 00:16 4398 ----a-w- c:\program files\license.txt
2000-11-14 19:21 . 2003-12-11 00:16 207715 ----a-w- c:\program files\catalog.exe
2000-11-14 19:19 . 2003-12-11 00:16 208923 ----a-w- c:\program files\sdupdate.exe
1999-06-25 15:55 . 2003-12-11 00:16 149504 ----a-w- c:\program files\UnInstal.exe
1998-05-15 13:40 . 2003-12-11 00:16 141312 ----a-w- c:\program files\SSCE5132.dll
1995-12-13 22:55 . 2003-12-11 00:16 123904 ----a-w- c:\program files\Vic32.DLL
2007-05-15 16:39 . 2007-05-15 16:39 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
c:\program files\Common Files\Sonic\Update Manager\sgtray .exe
c:\program files\Dell\Media Experience\PCMService .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe
c:\program files\iTunes\iTunesHelper .exe
c:\windows\MXOaldr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [N/A]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"Sonic RecordNow!"="" [N/A]
"Google Update"="c:\documents and settings\pm\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Tgbh_PreA1T"="c:\program files\Adware Pro\Adware_Pro.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"nut"="c:\windows\Registration\nut.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-02-24 136744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-3 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S2 gupdate1c9866ab8964622;Google Update Service (gupdate1c9866ab8964622);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 9:48 PM 133104]
S2 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\SYSTEM32\DRIVERS\ifp300.sys [12/1/2008 12:12 AM 13543]
S2 WinToolsSvc;WinTools for IE service; [x]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\lgatbus.sys [1/7/2006 1:24 AM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\SYSTEM32\DRIVERS\lgatmdm.sys [1/7/2006 1:25 AM 77104]
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-15 22:47]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:48]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: musicmatch.com
Trusted Zone: musicmatch.com
FF - ProfilePath - c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z005&form=ZGAADF&q=
FF - component: c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\pm\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1264)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Turtle Beach\AudioStation\tbaspi.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.


Completion time: 2010-10-06 01:15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-06 05:15

Pre-Run: 12,688,449,536 bytes free
Post-Run: 13,766,225,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - B592D9BE2130CC2267C71967E940E117


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 06 October 2010 - 12:45 PM

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
CODE
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
c:\program files\Common Files\Sonic\Update Manager\sgtray .exe
c:\program files\Dell\Media Experience\PCMService .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe
c:\program files\iTunes\iTunesHelper .exe
c:\windows\MXOaldr .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"nut"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"=-
"iTunesHelper"=-
"Adobe Reader Speed Launcher"=-

Driver::
WinToolsSvc




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 pminthepm

pminthepm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:ma
  • Local time:08:56 PM

Posted 07 October 2010 - 09:45 AM

two scans are here combo then kapersky

ComboFix 10-10-05.06 - pm 10/06/2010 14:17:50.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1010 [GMT -4:00]
Running from: c:\documents and settings\pm\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pm\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\pm\Local Settings\Application Data\{578C1918-712C-41F7-B5ED-1EE1AEE64AED}
c:\documents and settings\pm\Local Settings\Application Data\{578C1918-712C-41F7-B5ED-1EE1AEE64AED}\chrome\content\_cfg.js
c:\documents and settings\pm\Local Settings\Application Data\{578C1918-712C-41F7-B5ED-1EE1AEE64AED}\chrome\content\overlay.xul
c:\documents and settings\pm\Local Settings\Application Data\{578C1918-712C-41F7-B5ED-1EE1AEE64AED}\install.rdf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINTOOLSSVC
-------\Service_WinToolsSvc


((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 )))))))))))))))))))))))))))))))
.

2010-10-28 02:18 . 2010-10-28 02:19 -------- d-----w- c:\documents and settings\pm\Application Data\vShare
2010-10-28 02:18 . 2010-09-30 09:01 -------- d-----w- c:\program files\vShare
2010-10-24 07:00 . 2010-10-04 20:23 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-10-05 20:44 . 2010-10-05 20:44 -------- d-----w- c:\program files\Analog Devices
2010-10-05 18:54 . 2010-10-05 19:32 -------- d-----w- c:\documents and settings\pm\Application Data\AVP 2009
2010-10-05 12:50 . 2010-10-05 12:50 -------- d-----w- c:\program files\Lavalys
2010-10-05 12:21 . 2010-10-05 20:43 -------- d-----w- c:\program files\Test My Hardware
2010-10-05 02:10 . 2003-01-08 15:23 49152 ----a-w- c:\windows\system32\DSndUp.exe
2010-10-05 02:10 . 2002-10-28 15:26 3744 ----a-w- c:\windows\system32\drivers\smsens.sys
2010-10-05 02:10 . 2002-04-17 19:05 45056 ----a-w- c:\windows\system32\CleanUp.exe
2010-10-05 00:59 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2010-10-05 00:59 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2010-10-05 00:59 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-10-04 20:31 . 2010-10-04 20:31 -------- d-----w- c:\program files\Common Files\Skype
2010-10-01 18:59 . 2010-10-01 18:59 -------- d-----w- c:\program files\Trend Micro
2010-09-30 11:56 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-30 09:14 . 2010-09-30 09:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-30 08:46 . 2010-09-30 08:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-30 01:56 . 2010-09-30 07:48 0 ----a-w- c:\windows\Gvaqulexaheqi.bin
2010-09-30 01:55 . 2010-09-30 01:55 120 ----a-w- c:\windows\Yposuyeganowetu.dat
2010-09-23 17:18 . 2010-09-23 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-09-23 17:17 . 2010-09-23 17:17 -------- d-----w- c:\documents and settings\pm\Local Settings\Application Data\LogiShrd
2010-09-23 17:08 . 2010-09-23 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-09-23 17:07 . 2010-09-23 17:07 -------- d-----w- c:\program files\Common Files\LWS
2010-09-23 17:07 . 2010-10-04 20:23 -------- d-----w- c:\program files\Logitech
2010-09-23 17:06 . 2010-10-04 20:23 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-09-16 22:46 . 2010-09-16 22:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-09-08 07:01 . 2010-09-08 07:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-06 18:34 . 2006-07-07 18:27 -------- d-----w- c:\documents and settings\pm\Application Data\Skype
2010-10-06 18:33 . 2009-10-01 00:25 -------- d-----w- c:\documents and settings\pm\Application Data\skypePM
2010-10-06 18:33 . 2003-11-27 18:16 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-10-06 18:17 . 2010-07-03 15:41 -------- d-----w- c:\program files\iTunes
2010-10-06 18:17 . 2007-04-12 00:03 -------- d-----w- c:\program files\DellSupport
2010-10-06 17:32 . 2007-01-15 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-05 20:44 . 2010-04-02 02:25 -------- d-----w- c:\program files\QuickTime
2010-10-05 15:35 . 2003-12-06 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-05 13:28 . 2003-12-06 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-05 02:10 . 2003-10-29 12:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-10-05 01:38 . 2003-10-29 12:34 -------- d-----w- c:\program files\Intel
2010-10-05 00:26 . 2005-10-04 22:17 -------- d-----w- c:\program files\Winamp
2010-10-05 00:26 . 2008-02-10 03:28 -------- d-----w- c:\program files\PowerISO
2010-10-04 23:35 . 2010-10-01 19:02 112 ----a-w- c:\documents and settings\All Users\Application Data\gGSm035g.dat
2010-10-04 20:31 . 2010-08-24 10:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-04 20:31 . 2008-10-07 14:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-04 20:24 . 2010-07-05 20:54 -------- d-----w- c:\documents and settings\pm\Application Data\U3
2010-10-04 20:18 . 2005-10-06 01:26 -------- d-----w- c:\documents and settings\pm\Application Data\Azureus
2010-09-30 12:04 . 2003-10-29 12:27 -------- d-----w- c:\program files\Common Files\Java
2010-09-30 11:57 . 2010-09-30 11:57 503808 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\msvcp71.dll
2010-09-30 11:57 . 2010-09-30 11:57 499712 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\jmc.dll
2010-09-30 11:57 . 2010-09-30 11:57 348160 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\msvcr71.dll
2010-09-30 11:57 . 2010-09-30 11:57 61440 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-414f2d34-n\decora-sse.dll
2010-09-30 11:57 . 2010-09-30 11:57 12800 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-414f2d34-n\decora-d3d.dll
2010-09-30 11:56 . 2003-10-29 12:27 -------- d-----w- c:\program files\Java
2010-09-29 23:40 . 2010-09-23 17:10 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-30 18:34 . 2010-10-01 17:57 1496064 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-30 18:33 . 2010-10-01 17:57 43008 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-30 18:33 . 2010-10-01 17:57 338944 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-30 18:33 . 2010-10-01 17:57 346112 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-24 10:13 . 2007-01-15 18:18 -------- d-----w- c:\program files\Picasa2
2010-08-24 09:26 . 2010-08-24 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-24 09:26 . 2009-04-03 23:19 -------- d-----w- c:\program files\Alwil Software
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-12-09 01:35 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49 . 2004-12-09 01:35 590848 ----a-w- c:\windows\system32\rpcrt4(2)(2).dll
2010-07-22 05:57 . 2009-04-16 21:54 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2004-12-06 01:28 . 2004-12-05 22:49 66359 ---ha-w- c:\program files\SmartDraw User's Guide.GID
2003-12-11 00:16 . 2003-12-11 00:16 3692 ----a-w- c:\program files\SDX.DLL
2001-04-23 22:22 . 2003-12-11 00:16 2387968 ----a-w- c:\program files\SmartDraw.exe
2001-04-19 13:22 . 2003-12-11 00:16 18133 ----a-w- c:\program files\SmartDraw User's Guide.cnt
2001-04-18 14:03 . 2003-12-11 00:16 1903017 ----a-w- c:\program files\SmartDraw User's Guide.hlp
2001-04-05 22:15 . 2003-12-11 00:16 922720 ----a-w- c:\program files\SmartDraw Order Forms.hlp
2001-04-05 22:15 . 2003-12-11 00:16 1078 ----a-w- c:\program files\SmartDraw Order Forms.cnt
2001-03-24 16:23 . 2003-12-11 00:16 4398 ----a-w- c:\program files\license.txt
2000-11-14 19:21 . 2003-12-11 00:16 207715 ----a-w- c:\program files\catalog.exe
2000-11-14 19:19 . 2003-12-11 00:16 208923 ----a-w- c:\program files\sdupdate.exe
1999-06-25 15:55 . 2003-12-11 00:16 149504 ----a-w- c:\program files\UnInstal.exe
1998-05-15 13:40 . 2003-12-11 00:16 141312 ----a-w- c:\program files\SSCE5132.dll
1995-12-13 22:55 . 2003-12-11 00:16 123904 ----a-w- c:\program files\Vic32.DLL
2007-05-15 16:39 . 2007-05-15 16:39 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
CODE
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"Google Update"="c:\documents and settings\pm\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Tgbh_PreA1T"="c:\program files\Adware Pro\Adware_Pro.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-02-24 136744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-3 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S2 gupdate1c9866ab8964622;Google Update Service (gupdate1c9866ab8964622);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 9:48 PM 133104]
S2 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\SYSTEM32\DRIVERS\ifp300.sys [12/1/2008 12:12 AM 13543]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\lgatbus.sys [1/7/2006 1:24 AM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\SYSTEM32\DRIVERS\lgatmdm.sys [1/7/2006 1:25 AM 77104]
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-15 22:47]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:48]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: musicmatch.com
Trusted Zone: musicmatch.com
FF - ProfilePath - c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z005&form=ZGAADF&q=
FF - component: c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Turtle Beach\AudioStation\tbaspi.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-10-06 14:43:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-06 18:43
ComboFix2.txt 2010-10-06 05:15

Pre-Run: 15,201,816,576 bytes free
Post-Run: 15,315,615,744 bytes free

- - End Of File - - 840941094D17D659D7AA7623D32F88F3


Scan statistics:
Objects scanned: 158936
Threats found: 9
Infected objects found: 37
Suspicious objects found: 1
Scan duration: 12:16:35


File name / Threat / Threats count
C:\Documents and Settings\pm\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-5e6a95d3 Infected: Trojan-Downloader.Java.Agent.gr 1
C:\Documents and Settings\pm\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-5e6a95d3 Infected: Trojan-Downloader.Java.Agent.gs 1
C:\Documents and Settings\pm\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-5e6a95d3 Infected: Trojan-Downloader.Java.Agent.gt 1
C:\Documents and Settings\pm\Desktop\movie\DVD Fab PLATINUM EDITION 4.0.6.0.(NEW-with serial key)\DVDFabPlatinum4060.rar Infected: Trojan.Win32.Delf.bur 1
C:\Documents and Settings\pm\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\FTDISK.SYS.vir Infected: Virus.Win32.TDSS.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\krambst.dll.vir Infected: Trojan-Proxy.Win32.Agent.dbz 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433116.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433117.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433118.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433119.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433120.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433121.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433122.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433123.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433124.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433125.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433126.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433127.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433128.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433129.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433130.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433131.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433132.EXE Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433133.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433134.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433135.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433136.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433137.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433138.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433139.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433140.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433141.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433142.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1915\A0433143.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1917\A0443761.SYS Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1917\A0443822.dll Infected: Trojan-Proxy.Win32.Agent.dbz 1

Selected area has been scanned.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 07 October 2010 - 12:00 PM

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
CODE
File::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
C:\Documents and Settings\pm\Desktop\movie\DVD Fab PLATINUM EDITION 4.0.6.0.(NEW-with serial key)\DVDFabPlatinum4060.rar




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

------------------------------------------

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

----------------------------------

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

----------------------------------------------------------------------------

You may need to reinstall Adobe Reader as it was compromised.

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 pminthepm

pminthepm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:ma
  • Local time:08:56 PM

Posted 07 October 2010 - 08:48 PM

My computer is working well as is explorer and google
i have several external hard drives that i use for different projects
any suggestions before i hook them up
i will restart avast when we are finished
as usual thanks so much for your time
pm

ComboFix 10-10-07.01 - pm 10/07/2010 21:07:43.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.986 [GMT -4:00]
Running from: c:\documents and settings\pm\Desktop\bleeping\ComboFix.exe
Command switches used :: c:\documents and settings\pm\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\pm\Desktop\movie\DVD Fab PLATINUM EDITION 4.0.6.0.(NEW-with serial key)\DVDFabPlatinum4060.rar"
"c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\pm\Desktop\movie\DVD Fab PLATINUM EDITION 4.0.6.0.(NEW-with serial key)\DVDFabPlatinum4060.rar
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe

.
((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

2010-10-28 02:18 . 2010-10-28 02:19 -------- d-----w- c:\documents and settings\pm\Application Data\vShare
2010-10-28 02:18 . 2010-09-30 09:01 -------- d-----w- c:\program files\vShare
2010-10-24 07:00 . 2010-10-04 20:23 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-10-05 20:44 . 2010-10-05 20:44 -------- d-----w- c:\program files\Analog Devices
2010-10-05 18:54 . 2010-10-05 19:32 -------- d-----w- c:\documents and settings\pm\Application Data\AVP 2009
2010-10-05 12:50 . 2010-10-05 12:50 -------- d-----w- c:\program files\Lavalys
2010-10-05 12:21 . 2010-10-05 20:43 -------- d-----w- c:\program files\Test My Hardware
2010-10-05 02:10 . 2003-01-08 15:23 49152 ----a-w- c:\windows\system32\DSndUp.exe
2010-10-05 02:10 . 2002-10-28 15:26 3744 ----a-w- c:\windows\system32\drivers\smsens.sys
2010-10-05 02:10 . 2002-04-17 19:05 45056 ----a-w- c:\windows\system32\CleanUp.exe
2010-10-05 00:59 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2010-10-05 00:59 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2010-10-05 00:59 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-10-04 20:31 . 2010-10-04 20:31 -------- d-----w- c:\program files\Common Files\Skype
2010-10-01 18:59 . 2010-10-01 18:59 -------- d-----w- c:\program files\Trend Micro
2010-10-01 17:57 . 2010-08-30 18:33 43008 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-10-01 17:57 . 2010-08-30 18:33 338944 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-10-01 17:57 . 2010-08-30 18:33 346112 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-10-01 17:57 . 2010-08-30 18:34 1496064 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-30 11:57 . 2010-09-30 11:57 503808 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\msvcp71.dll
2010-09-30 11:57 . 2010-09-30 11:57 499712 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\jmc.dll
2010-09-30 11:57 . 2010-09-30 11:57 348160 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\msvcr71.dll
2010-09-30 11:57 . 2010-09-30 11:57 61440 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-414f2d34-n\decora-sse.dll
2010-09-30 11:57 . 2010-09-30 11:57 12800 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-414f2d34-n\decora-d3d.dll
2010-09-30 11:56 . 2010-10-06 19:05 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-30 09:14 . 2010-09-30 09:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-30 08:46 . 2010-09-30 08:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-30 01:56 . 2010-09-30 07:48 0 ----a-w- c:\windows\Gvaqulexaheqi.bin
2010-09-30 01:55 . 2010-09-30 01:55 120 ----a-w- c:\windows\Yposuyeganowetu.dat
2010-09-23 17:18 . 2010-09-23 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-09-23 17:17 . 2010-09-23 17:17 -------- d-----w- c:\documents and settings\pm\Local Settings\Application Data\LogiShrd
2010-09-23 17:08 . 2010-09-23 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-09-23 17:07 . 2010-09-23 17:07 -------- d-----w- c:\program files\Common Files\LWS
2010-09-23 17:07 . 2010-10-04 20:23 -------- d-----w- c:\program files\Logitech
2010-09-23 17:06 . 2010-10-04 20:23 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-09-16 22:46 . 2010-09-16 22:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-09-08 07:01 . 2010-09-08 07:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 01:18 . 2006-07-07 18:27 -------- d-----w- c:\documents and settings\pm\Application Data\Skype
2010-10-07 20:00 . 2009-10-01 00:25 -------- d-----w- c:\documents and settings\pm\Application Data\skypePM
2010-10-07 18:33 . 2007-01-15 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-07 02:00 . 2003-11-27 18:16 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-10-06 18:58 . 2003-10-29 12:27 -------- d-----w- c:\program files\Java
2010-10-06 18:17 . 2010-07-03 15:41 -------- d-----w- c:\program files\iTunes
2010-10-06 18:17 . 2007-04-12 00:03 -------- d-----w- c:\program files\DellSupport
2010-10-05 20:44 . 2010-04-02 02:25 -------- d-----w- c:\program files\QuickTime
2010-10-05 15:35 . 2003-12-06 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-05 13:28 . 2003-12-06 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-05 02:10 . 2003-10-29 12:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-10-05 01:38 . 2003-10-29 12:34 -------- d-----w- c:\program files\Intel
2010-10-05 00:26 . 2005-10-04 22:17 -------- d-----w- c:\program files\Winamp
2010-10-05 00:26 . 2008-02-10 03:28 -------- d-----w- c:\program files\PowerISO
2010-10-04 23:35 . 2010-10-01 19:02 112 ----a-w- c:\documents and settings\All Users\Application Data\gGSm035g.dat
2010-10-04 20:31 . 2010-08-24 10:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-04 20:31 . 2008-10-07 14:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-04 20:24 . 2010-07-05 20:54 -------- d-----w- c:\documents and settings\pm\Application Data\U3
2010-10-04 20:18 . 2005-10-06 01:26 -------- d-----w- c:\documents and settings\pm\Application Data\Azureus
2010-09-30 12:04 . 2003-10-29 12:27 -------- d-----w- c:\program files\Common Files\Java
2010-09-29 23:40 . 2010-09-23 17:10 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-24 10:13 . 2007-01-15 18:18 -------- d-----w- c:\program files\Picasa2
2010-08-24 09:26 . 2010-08-24 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-24 09:26 . 2009-04-03 23:19 -------- d-----w- c:\program files\Alwil Software
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-12-09 01:35 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49 . 2004-12-09 01:35 590848 ----a-w- c:\windows\system32\rpcrt4(2)(2).dll
2010-07-22 05:57 . 2009-04-16 21:54 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2004-12-06 01:28 . 2004-12-05 22:49 66359 ---ha-w- c:\program files\SmartDraw User's Guide.GID
2003-12-11 00:16 . 2003-12-11 00:16 3692 ----a-w- c:\program files\SDX.DLL
2001-04-23 22:22 . 2003-12-11 00:16 2387968 ----a-w- c:\program files\SmartDraw.exe
2001-04-19 13:22 . 2003-12-11 00:16 18133 ----a-w- c:\program files\SmartDraw User's Guide.cnt
2001-04-18 14:03 . 2003-12-11 00:16 1903017 ----a-w- c:\program files\SmartDraw User's Guide.hlp
2001-04-05 22:15 . 2003-12-11 00:16 922720 ----a-w- c:\program files\SmartDraw Order Forms.hlp
2001-04-05 22:15 . 2003-12-11 00:16 1078 ----a-w- c:\program files\SmartDraw Order Forms.cnt
2001-03-24 16:23 . 2003-12-11 00:16 4398 ----a-w- c:\program files\license.txt
2000-11-14 19:21 . 2003-12-11 00:16 207715 ----a-w- c:\program files\catalog.exe
2000-11-14 19:19 . 2003-12-11 00:16 208923 ----a-w- c:\program files\sdupdate.exe
1999-06-25 15:55 . 2003-12-11 00:16 149504 ----a-w- c:\program files\UnInstal.exe
1998-05-15 13:40 . 2003-12-11 00:16 141312 ----a-w- c:\program files\SSCE5132.dll
1995-12-13 22:55 . 2003-12-11 00:16 123904 ----a-w- c:\program files\Vic32.DLL
2007-05-15 16:39 . 2007-05-15 16:39 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
CODE
<pre>
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft ActiveSync\Wcescomm  .exe
c:\program files\Microsoft Security Essentials\msseces .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
c:\program files\PowerISO\PWRISOVM .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\Winamp\winampa .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"Google Update"="c:\documents and settings\pm\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Tgbh_PreA1T"="c:\program files\Adware Pro\Adware_Pro.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-24 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-02-24 136744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-3 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S2 gupdate1c9866ab8964622;Google Update Service (gupdate1c9866ab8964622);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 9:48 PM 133104]
S2 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\SYSTEM32\DRIVERS\ifp300.sys [12/1/2008 12:12 AM 13543]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\lgatbus.sys [1/7/2006 1:24 AM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\SYSTEM32\DRIVERS\lgatmdm.sys [1/7/2006 1:25 AM 77104]
.
Contents of the 'Scheduled Tasks' folder

2010-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-15 22:47]

2010-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:48]

2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: musicmatch.com
Trusted Zone: musicmatch.com
FF - ProfilePath - c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z005&form=ZGAADF&q=
FF - component: c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-07 21:21:45
ComboFix-quarantined-files.txt 2010-10-08 01:21
ComboFix2.txt 2010-10-06 18:43
ComboFix3.txt 2010-10-06 05:15

Pre-Run: 14,754,877,440 bytes free
Post-Run: 14,934,347,776 bytes free

- - End Of File - - 3A9C62199F9DE459D0D27AD5039D15F7


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 07 October 2010 - 10:33 PM

We still have some problems popping-up in the current drive. Lets wait until all is cleaned.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
CODE
RenV::
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft ActiveSync\Wcescomm  .exe
c:\program files\Microsoft Security Essentials\msseces .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
c:\program files\PowerISO\PWRISOVM .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\Winamp\winampa .exe

File::
c:\windows\Yposuyeganowetu.dat
c:\windows\Gvaqulexaheqi.bin
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\rpcrt4(2)(2).dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=-
"Tgbh_PreA1T"=-




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

The following programs have been compromised also:

Messenger
Microsoft ActiveSync
Microsoft Security Essentials
MUSICMATCH
PowerISO
QuickTime
Winamp


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 pminthepm

pminthepm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:ma
  • Local time:08:56 PM

Posted 08 October 2010 - 08:00 AM

Thanks
pm

ComboFix 10-10-07.02 - pm 10/08/2010 8:17.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.986 [GMT -4:00]
Running from: c:\documents and settings\pm\Desktop\bleeping\ComboFix.exe
Command switches used :: c:\documents and settings\pm\Desktop\CFScript.txt

FILE ::
"c:\windows\Gvaqulexaheqi.bin"
"c:\windows\system32\drivers\logiflt.iad"
"c:\windows\system32\rpcrt4(2)(2).dll"
"c:\windows\Yposuyeganowetu.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Gvaqulexaheqi.bin
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\rpcrt4(2)(2).dll
c:\windows\Yposuyeganowetu.dat

.
((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

2010-10-28 02:18 . 2010-10-28 02:19 -------- d-----w- c:\documents and settings\pm\Application Data\vShare
2010-10-28 02:18 . 2010-09-30 09:01 -------- d-----w- c:\program files\vShare
2010-10-24 07:00 . 2010-10-04 20:23 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-10-05 20:44 . 2010-10-05 20:44 -------- d-----w- c:\program files\Analog Devices
2010-10-05 18:54 . 2010-10-05 19:32 -------- d-----w- c:\documents and settings\pm\Application Data\AVP 2009
2010-10-05 12:50 . 2010-10-05 12:50 -------- d-----w- c:\program files\Lavalys
2010-10-05 12:21 . 2010-10-05 20:43 -------- d-----w- c:\program files\Test My Hardware
2010-10-05 02:10 . 2003-01-08 15:23 49152 ----a-w- c:\windows\system32\DSndUp.exe
2010-10-05 02:10 . 2002-10-28 15:26 3744 ----a-w- c:\windows\system32\drivers\smsens.sys
2010-10-05 02:10 . 2002-04-17 19:05 45056 ----a-w- c:\windows\system32\CleanUp.exe
2010-10-05 00:59 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2010-10-05 00:59 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2010-10-05 00:59 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-10-04 20:31 . 2010-10-04 20:31 -------- d-----w- c:\program files\Common Files\Skype
2010-10-01 18:59 . 2010-10-01 18:59 -------- d-----w- c:\program files\Trend Micro
2010-10-01 17:57 . 2010-08-30 18:33 43008 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-10-01 17:57 . 2010-08-30 18:33 338944 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-10-01 17:57 . 2010-08-30 18:33 346112 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-10-01 17:57 . 2010-08-30 18:34 1496064 ----a-w- c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-30 11:57 . 2010-09-30 11:57 503808 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\msvcp71.dll
2010-09-30 11:57 . 2010-09-30 11:57 499712 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\jmc.dll
2010-09-30 11:57 . 2010-09-30 11:57 348160 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23cc5bd5-n\msvcr71.dll
2010-09-30 11:57 . 2010-09-30 11:57 61440 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-414f2d34-n\decora-sse.dll
2010-09-30 11:57 . 2010-09-30 11:57 12800 ----a-w- c:\documents and settings\pm\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-414f2d34-n\decora-d3d.dll
2010-09-30 11:56 . 2010-10-06 19:05 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-30 09:14 . 2010-09-30 09:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-30 08:46 . 2010-09-30 08:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-23 17:18 . 2010-09-23 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-09-23 17:17 . 2010-09-23 17:17 -------- d-----w- c:\documents and settings\pm\Local Settings\Application Data\LogiShrd
2010-09-23 17:08 . 2010-09-23 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-09-23 17:07 . 2010-09-23 17:07 -------- d-----w- c:\program files\Common Files\LWS
2010-09-23 17:07 . 2010-10-04 20:23 -------- d-----w- c:\program files\Logitech
2010-09-23 17:06 . 2010-10-04 20:23 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-09-16 22:46 . 2010-09-16 22:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 12:27 . 2006-07-07 18:27 -------- d-----w- c:\documents and settings\pm\Application Data\Skype
2010-10-08 12:17 . 2010-04-02 02:25 -------- d-----w- c:\program files\QuickTime
2010-10-08 12:17 . 2005-10-04 22:17 -------- d-----w- c:\program files\Winamp
2010-10-08 12:17 . 2010-08-24 10:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-08 12:17 . 2008-02-10 03:28 -------- d-----w- c:\program files\PowerISO
2010-10-08 12:17 . 2003-11-27 18:16 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-10-08 12:08 . 2009-10-01 00:25 -------- d-----w- c:\documents and settings\pm\Application Data\skypePM
2010-10-07 18:33 . 2007-01-15 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-06 18:58 . 2003-10-29 12:27 -------- d-----w- c:\program files\Java
2010-10-06 18:17 . 2010-07-03 15:41 -------- d-----w- c:\program files\iTunes
2010-10-06 18:17 . 2007-04-12 00:03 -------- d-----w- c:\program files\DellSupport
2010-10-05 15:35 . 2003-12-06 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-05 13:28 . 2003-12-06 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-05 02:10 . 2003-10-29 12:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-10-05 01:38 . 2003-10-29 12:34 -------- d-----w- c:\program files\Intel
2010-10-04 23:35 . 2010-10-01 19:02 112 ----a-w- c:\documents and settings\All Users\Application Data\gGSm035g.dat
2010-10-04 20:31 . 2008-10-07 14:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-04 20:24 . 2010-07-05 20:54 -------- d-----w- c:\documents and settings\pm\Application Data\U3
2010-10-04 20:18 . 2005-10-06 01:26 -------- d-----w- c:\documents and settings\pm\Application Data\Azureus
2010-09-30 12:04 . 2003-10-29 12:27 -------- d-----w- c:\program files\Common Files\Java
2010-08-24 10:13 . 2007-01-15 18:18 -------- d-----w- c:\program files\Picasa2
2010-08-24 09:26 . 2010-08-24 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-24 09:26 . 2009-04-03 23:19 -------- d-----w- c:\program files\Alwil Software
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-12-09 01:35 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 21:54 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2004-12-06 01:28 . 2004-12-05 22:49 66359 ---ha-w- c:\program files\SmartDraw User's Guide.GID
2003-12-11 00:16 . 2003-12-11 00:16 3692 ----a-w- c:\program files\SDX.DLL
2001-04-23 22:22 . 2003-12-11 00:16 2387968 ----a-w- c:\program files\SmartDraw.exe
2001-04-19 13:22 . 2003-12-11 00:16 18133 ----a-w- c:\program files\SmartDraw User's Guide.cnt
2001-04-18 14:03 . 2003-12-11 00:16 1903017 ----a-w- c:\program files\SmartDraw User's Guide.hlp
2001-04-05 22:15 . 2003-12-11 00:16 922720 ----a-w- c:\program files\SmartDraw Order Forms.hlp
2001-04-05 22:15 . 2003-12-11 00:16 1078 ----a-w- c:\program files\SmartDraw Order Forms.cnt
2001-03-24 16:23 . 2003-12-11 00:16 4398 ----a-w- c:\program files\license.txt
2000-11-14 19:21 . 2003-12-11 00:16 207715 ----a-w- c:\program files\catalog.exe
2000-11-14 19:19 . 2003-12-11 00:16 208923 ----a-w- c:\program files\sdupdate.exe
1999-06-25 15:55 . 2003-12-11 00:16 149504 ----a-w- c:\program files\UnInstal.exe
1998-05-15 13:40 . 2003-12-11 00:16 141312 ----a-w- c:\program files\SSCE5132.dll
1995-12-13 22:55 . 2003-12-11 00:16 123904 ----a-w- c:\program files\Vic32.DLL
2007-05-15 16:39 . 2007-05-15 16:39 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-08_01.18.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-08 01:37 . 2010-10-08 01:37 16384 c:\windows\Temp\Perflib_Perfdata_5e0.dat
+ 2010-09-24 01:02 . 2010-09-24 01:02 798208 c:\windows\Installer\1287729.msp
+ 2010-10-08 07:03 . 2010-10-08 07:03 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\b1646e54b708b9824f4193f87eb00c0e\System.Web.Extensions.Design.ni.dll
+ 2010-10-08 07:03 . 2010-10-08 07:03 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\504a93e73da77c502ecf98bfdfc1485e\System.Web.Entity.ni.dll
+ 2010-10-08 07:03 . 2010-10-08 07:03 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\f22334fbd9497d79448fffef515ae0cc\System.Web.Entity.Design.ni.dll
+ 2010-10-08 07:03 . 2010-10-08 07:03 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\af5452305588da228a74e30324681d20\System.Web.DynamicData.ni.dll
+ 2010-10-08 07:03 . 2010-10-08 07:03 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\da367bc2ecf2c9c5b4f858b6dba9e2ea\System.Web.Extensions.ni.dll
+ 2010-10-08 07:03 . 2010-10-08 07:03 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\8e34e273d036b7468fc4e951a1fde437\System.ServiceModel.Web.ni.dll
- 2009-08-10 18:50 . 2009-08-10 18:50 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2010-10-08 07:00 . 2010-10-08 07:00 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-24 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-02-24 136744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-3 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S2 gupdate1c9866ab8964622;Google Update Service (gupdate1c9866ab8964622);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 9:48 PM 133104]
S2 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\SYSTEM32\DRIVERS\ifp300.sys [12/1/2008 12:12 AM 13543]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\lgatbus.sys [1/7/2006 1:24 AM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\SYSTEM32\DRIVERS\lgatmdm.sys [1/7/2006 1:25 AM 77104]
.
Contents of the 'Scheduled Tasks' folder

2010-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-15 22:47]

2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:48]

2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: musicmatch.com
Trusted Zone: musicmatch.com
FF - ProfilePath - c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z005&form=ZGAADF&q=
FF - component: c:\documents and settings\pm\Application Data\Mozilla\Firefox\Profiles\i20ky9f8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-08 08:30:13
ComboFix-quarantined-files.txt 2010-10-08 12:30
ComboFix2.txt 2010-10-08 01:21
ComboFix3.txt 2010-10-06 18:43
ComboFix4.txt 2010-10-06 05:15

Pre-Run: 27,029,471,232 bytes free
Post-Run: 27,045,081,088 bytes free

- - End Of File - - DCBFB1F3D18D671AB9C86B1EBC261B35


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 08 October 2010 - 10:40 AM

This time the log is clean.

Connect the other drives, but do not remove Combofix yet.

How is it doing afterward.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 19 October 2010 - 10:41 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 20 October 2010 - 09:27 PM

Topic opened at the starter's request.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users