Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whitesmoke et al root kit - wont let me post on this site!


  • This topic is locked This topic is locked
19 replies to this topic

#1 Towjumper

Towjumper

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 14 December 2010 - 02:39 PM

Hello all:

Thanks in advance for any help. I have an office computer that previously had a root kit and therefore I installed Avast. A few days ago Avast when crazy with threat warnings and suddenly I was right back where I started.

I get pop-ups in Firefox and IE and the system is slow. Sometime I get registration pop-up for whitesmoke translator and other times I get .dll errors.

In fact, my system crashed doing the rootkit program before I could generate a the ark.txt file the first time and will not let me create this message on the infected computer - it says connection reset although all other site work...

Thanks again for any help.


DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by priscilla at 13:57:45.46 on Tue 12/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.661 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\priscilla\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb/default.aspx
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [JobHisInit] c:\program files\rmclient\JobHisInit.exe
mRun: [MplSetUp] c:\program files\rmclient\MplSetUp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [vmbyraqc] c:\windows\temp\ikmnifxuh\incbvvfaffm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-ba7e-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxp://map.ezlistmls.com/PUBLICREPORTS/Reserved.ReportViewerWebControl.axd?ExecutionID=p3ite0umofxo3255s3bgrj55&ControlID=355d24a663a848d394531f5479a5996d&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://server/ConnectComputer/nshelp.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164600089453
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://server/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} - hxxp://map.ezlistmls.com/PUBLICREPORTS/Reserved.ReportViewerWebControl.axd?ExecutionID=ehdmva555hhqbd55yb0vu255&ControlID=2b4db193-778d-4d03-969b-3a61324377c2&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {562767CA-A896-4230-9033-2AFCC738C9F6} = 192.168.1.2
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\prisci~1\applic~1\mozilla\firefox\profiles\y75ua62x.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
FF - plugin: c:\documents and settings\priscilla\application data\mozilla\firefox\profiles\y75ua62x.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsview.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com

============= SERVICES / DRIVERS ===============

R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2008-1-11 54016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 GlidePoint;GlidePoint Touchpad Client;c:\program files\glidepoint\glidesvc.exe [2007-3-29 176128]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-11-16 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-8 47640]
S3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [2007-10-3 44928]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-12-14 14:42:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-14 14:42:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-14 14:40:10 0 ----a-w- c:\windows\system32\lsp2.tmp
2010-12-13 13:46:23 -------- d-----w- c:\documents and settings\priscilla\IECompatCache
2010-11-30 23:14:48 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-11-30 23:14:46 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-11-30 15:06:37 0 ----a-w- c:\windows\Pjujoyexamecusu.bin
2010-11-30 15:06:06 -------- d-----w- c:\docume~1\prisci~1\applic~1\whitesmoketoolbar
2010-11-30 15:04:18 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-24 13:52:04 -------- d-----w- c:\windows\pss
2010-11-16 19:47:32 2549760 ------w- c:\windows\system32\VXEngine.dll
2010-11-16 19:47:32 237568 ------w- c:\windows\system32\VisionAPI.dll
2010-11-16 19:47:23 1822720 ------w- c:\windows\system32\PaniniOCR.dll
2010-11-16 19:44:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-16 19:44:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-16 19:44:27 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-16 19:40:28 -------- d-----w- c:\windows\system32\appmgmt
2010-11-16 19:32:46 -------- d--h--w- c:\windows\PIF
2010-11-16 16:40:31 -------- d-----w- c:\docume~1\prisci~1\locals~1\applic~1\Identities
2010-11-16 16:40:26 -------- d-----w- c:\docume~1\prisci~1\applic~1\Windows Desktop Search
2010-11-16 16:39:34 -------- d-----w- c:\program files\Windows Desktop Search
2010-11-16 16:38:03 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-11-16 16:38:03 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-11-16 16:38:03 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-11-16 16:37:31 -------- d-----w- c:\program files\Windows Media Connect 2
2010-11-16 15:12:30 -------- d-----w- c:\windows\system32\winrm
2010-11-16 15:12:30 -------- d-----w- c:\windows\system32\GroupPolicy
2010-11-16 15:12:24 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-11-16 14:42:23 -------- d-sha-r- C:\cmdcons
2010-11-16 14:39:34 98816 ----a-w- c:\windows\sed.exe
2010-11-16 14:39:34 89088 ----a-w- c:\windows\MBR.exe
2010-11-16 14:39:34 256512 ----a-w- c:\windows\PEV.exe
2010-11-16 14:39:34 161792 ----a-w- c:\windows\SWREG.exe
2010-11-16 14:36:21 3989479 ----a-r- C:\ComboFix.exe
2010-11-16 14:04:07 3040 ----a-w- C:\fix_svchost.bat
2010-11-16 13:58:43 6216032 ----a-w- C:\windowsupdateagent30-x86.exe
2010-11-15 22:16:12 -------- d-----w- C:\avast

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-05 14:17:08 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2010-10-05 14:17:08 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-05 14:17:08 83360 ----a-w- c:\windows\system32\LMIRfsClientNP(2).dll
2010-10-05 14:17:08 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-10-05 14:17:07 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2010-10-05 14:17:07 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-10-05 14:17:07 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3808110AS rev.3.ADH -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F41555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f477b0]; MOV EAX, [0x86f4782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86FD3AB8]
3 CLASSPNP[0xF7565FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86EF3698]
\Driver\atapi[0x86FA4B78] -> IRP_MJ_CREATE -> 0x86F41555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3808110AS_____________________________3.ADH___#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F4139B
user & kernel MBR OK
copy of MBR has been found in sector 9 !
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:00:11.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 19 December 2010 - 06:25 PM

Hello Towjumper ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Towjumper

Towjumper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 20 December 2010 - 02:16 PM

Tea:

Thanks for the reply. The machine is still infected I suspect. I get BSOD occasionally and I still cannot get Avast to update in spite reinstalling a couple times.

The DDS file and Malwarebytes logs are here and also the report from gmer.

Thanks again.


DDS (Ver_10-12-12.02) - NTFSx86
Run by administrator at 12:25:09.63 on Mon 12/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.326 [GMT -5:00]

AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\administrator.MAGOFFICE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [JobHisInit] c:\program files\rmclient\JobHisInit.exe
mRun: [MplSetUp] c:\program files\rmclient\MplSetUp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-ba7e-100000000002}\SC_Acrobat.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxp://map.ezlistmls.com/PUBLICREPORTS/Reserved.ReportViewerWebControl.axd?ExecutionID=p3ite0umofxo3255s3bgrj55&ControlID=355d24a663a848d394531f5479a5996d&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://server/ConnectComputer/nshelp.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164600089453
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://server/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} - hxxp://map.ezlistmls.com/PUBLICREPORTS/Reserved.ReportViewerWebControl.axd?ExecutionID=ehdmva555hhqbd55yb0vu255&ControlID=2b4db193-778d-4d03-969b-3a61324377c2&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {562767CA-A896-4230-9033-2AFCC738C9F6} = 192.168.1.2
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.mag\applic~1\mozilla\firefox\profiles\x7qak36i.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\administrator.magoffice\application data\mozilla\firefox\profiles\x7qak36i.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\administrator.magoffice\application data\mozilla\firefox\profiles\x7qak36i.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsview.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-17 165584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-12-16 532224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-17 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-17 40384]
R2 GlidePoint;GlidePoint Touchpad Client;c:\program files\glidepoint\glidesvc.exe [2007-3-29 176128]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-9-2 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-9-2 493048]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-11-16 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-8 47640]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2008-1-11 54016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-17 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-17 40384]
S3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [2007-10-3 44928]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-12-17 16:50:07 38848 ----a-w- c:\windows\avastSS.scr
2010-12-16 23:34:50 -------- d-s---w- C:\ComboFix
2010-12-16 23:13:28 -------- d-----w- c:\docume~1\admini~1.mag\applic~1\CheckPoint
2010-12-16 23:12:37 -------- d-----w- c:\docume~1\admini~1.mag\locals~1\applic~1\Conduit
2010-12-16 23:12:36 -------- d-----w- c:\program files\Conduit
2010-12-16 23:12:34 -------- d-----w- c:\docume~1\admini~1.mag\locals~1\applic~1\ZoneAlarm_Security
2010-12-16 23:12:30 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-12-16 23:12:19 -------- d-----w- c:\program files\CheckPoint
2010-12-16 23:11:58 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-16 23:11:58 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-16 23:11:56 -------- d-----w- c:\program files\Zone Labs
2010-12-16 23:11:22 -------- d-----w- c:\windows\Internet Logs
2010-12-16 23:05:33 -------- d-----w- c:\program files\ESET
2010-12-16 22:41:31 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 22:40:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 20:26:54 -------- d-----w- c:\documents and settings\administrator.magoffice\CheckTrade
2010-12-15 20:24:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-15 20:24:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:42:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-14 14:42:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-14 14:40:10 0 ----a-w- c:\windows\system32\lsp2.tmp
2010-11-30 23:14:48 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-11-30 23:14:46 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-11-30 15:06:37 0 ----a-w- c:\windows\Pjujoyexamecusu.bin
2010-11-30 15:04:18 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-24 13:52:04 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2010-12-15 20:21:28 3991489 ----a-r- C:\ComboFix.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-16 14:04:07 3040 ----a-w- C:\fix_svchost.bat
2010-11-16 13:19:14 6216032 ----a-w- C:\windowsupdateagent30-x86.exe
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-05 14:17:08 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2010-10-05 14:17:08 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-05 14:17:08 83360 ----a-w- c:\windows\system32\LMIRfsClientNP(2).dll
2010-10-05 14:17:08 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-10-05 14:17:07 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2010-10-05 14:17:07 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-10-05 14:17:07 29568 ----a-w- c:\windows\system32\LMIport.dll

============= FINISH: 12:26:22.36 ===============

Malware Bytes Logs

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5343

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/17/2010 1:28:25 PM
mbam-log-2010-12-17 (13-28-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 308446
Time elapsed: 1 hour(s), 22 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files

  • Attached File  ark.log   112.52KB   2 downloads


#4 Towjumper

Towjumper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 20 December 2010 - 02:18 PM

Somehow the attach file did not attach. Here it is.

Attached Files



#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 20 December 2010 - 02:41 PM

I see you've run ComboFix....could you please post the report? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Towjumper

Towjumper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 20 December 2010 - 03:21 PM

Sure - here it is.

Thanks again!

Attached Files



#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 20 December 2010 - 03:42 PM

Hi there, Are BSODs the only problems? Every little bit of info helps. :thumbup2:

We need to get a fresh, updated copy of ComboFix.

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to jumper.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Towjumper

Towjumper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 20 December 2010 - 05:20 PM

Here is the combofix fix log.

Thanks!

ComboFix 10-12-20.01 - priscilla 12/20/2010 17:01:21.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.540 [GMT -5:00]
Running from: c:\documents and settings\priscilla\Desktop\random.exe
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
.

2010-12-20 19:42 . 2010-12-20 19:42 -------- d-----w- c:\documents and settings\priscilla\Application Data\CheckPoint
2010-12-17 16:50 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-17 16:50 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-17 16:50 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-17 16:50 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-17 16:50 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-17 16:50 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-17 16:50 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-17 16:50 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-17 16:50 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-16 23:13 . 2010-12-16 23:13 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Application Data\CheckPoint
2010-12-16 23:12 . 2010-12-17 16:24 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Local Settings\Application Data\Conduit
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\Conduit
2010-12-16 23:12 . 2010-12-17 16:25 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Local Settings\Application Data\ZoneAlarm_Security
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\CheckPoint
2010-12-16 23:12 . 2010-09-02 14:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-12-16 23:12 . 2010-09-02 14:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-12-16 23:11 . 2010-12-16 23:13 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-16 23:11 . 2010-09-02 14:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-16 23:11 . 2010-12-16 23:11 -------- d-----w- c:\program files\Zone Labs
2010-12-16 23:11 . 2010-12-20 21:37 -------- d-----w- c:\windows\Internet Logs
2010-12-16 23:05 . 2010-12-16 23:05 -------- d-----w- c:\program files\ESET
2010-12-16 22:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 22:40 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 20:35 . 2010-12-16 20:35 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Application Data\AdobeUM
2010-12-16 20:26 . 2010-12-16 20:34 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\CheckTrade
2010-12-15 20:24 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-15 20:24 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:42 . 2010-12-14 14:42 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-14 14:40 . 2010-12-14 14:40 0 ----a-w- c:\windows\system32\lsp2.tmp
2010-12-13 13:46 . 2010-12-13 13:46 -------- d-----w- c:\documents and settings\priscilla\IECompatCache
2010-12-10 21:03 . 2010-12-10 21:03 -------- d-----w- c:\documents and settings\NetworkService\IECompatCache
2010-12-10 16:57 . 2010-12-10 16:57 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2010-11-30 23:14 . 2010-12-14 18:48 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-11-30 23:14 . 2010-12-14 18:48 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-11-30 15:06 . 2010-12-13 13:39 0 ----a-w- c:\windows\Pjujoyexamecusu.bin
2010-11-30 15:04 . 2010-11-30 15:04 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 20:21 . 2010-11-16 14:36 3991489 ----a-r- C:\ComboFix.exe
2010-11-18 18:12 . 2006-11-27 01:52 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-16 14:04 . 2010-11-16 14:04 3040 ----a-w- C:\fix_svchost.bat
2010-11-12 23:53 . 2010-11-16 19:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2010-11-16 19:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-02-28 12:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-07-06 16:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP(2).dll
2010-10-05 14:17 . 2009-07-08 22:02 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-10-05 14:17 . 2009-07-08 22:02 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-10-05 14:17 . 2009-07-08 22:02 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2010-10-05 14:17 . 2009-07-08 22:02 87424 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-12-01 16:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2005-08-01 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2006-11-26 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-10-05 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/17/2010 11:50 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/17/2010 11:50 AM 17744]
R2 GlidePoint;GlidePoint Touchpad Client;c:\program files\GlidePoint\glidesvc.exe [3/29/2007 1:37 PM 176128]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [9/2/2010 7:26 AM 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [9/2/2010 7:26 AM 493048]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [11/16/2010 8:58 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [1/11/2008 11:42 AM 54016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [10/3/2007 8:22 AM 44928]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

--- Other Services/Drivers In Memory ---

*Deregistered* - uwtyypog

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://companyweb/default.aspx
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {562767CA-A896-4230-9033-2AFCC738C9F6} = 192.168.1.2
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxp://map.ezlistmls.com/PUBLICREPORTS/Reserved.ReportViewerWebControl.axd?ExecutionID=p3ite0umofxo3255s3bgrj55&ControlID=355d24a663a848d394531f5479a5996d&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
FF - ProfilePath - c:\documents and settings\priscilla\Application Data\Mozilla\Firefox\Profiles\y75ua62x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 17:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\LMIinit.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(784)
c:\program files\Bonjour\mdnsNSP.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(4000)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-20 17:10:19
ComboFix-quarantined-files.txt 2010-12-20 22:10

Pre-Run: 45,097,594,880 bytes free
Post-Run: 45,138,165,760 bytes free

- - End Of File - - C090AD5212E32769A9ED8F40F0BE33DA

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 20 December 2010 - 05:28 PM

What is this please? C:\fix_svchost.bat

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

DRIVER::
uwtyypog


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Towjumper

Towjumper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 20 December 2010 - 06:05 PM

I am not sure what that file is - I removed it FWIW. I looked at the batch file from notepad and it was ascii character junk. I can up load it if it helps.

Other that BSOD and things like the AV programs not updating there was nothing going on right now. The first time I ran CF if allowed me to update windows, which it was not doing before. Also, prior to CF I could not post to this site, it would loose connection and time out.

Thanks again for your help - it is MUCH appreciated.

This is the Log file:
ComboFix 10-12-20.01 - priscilla 12/20/2010 17:40:21.10.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.602 [GMT -5:00]
Running from: c:\documents and settings\priscilla\Desktop\random.exe
Command switches used :: c:\documents and settings\priscilla\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UWTYYPOG
-------\Service_uwtyypog


((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
.

2010-12-20 19:42 . 2010-12-20 19:42 -------- d-----w- c:\documents and settings\priscilla\Application Data\CheckPoint
2010-12-17 16:50 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-17 16:50 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-17 16:50 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-17 16:50 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-17 16:50 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-17 16:50 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-17 16:50 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-17 16:50 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-17 16:50 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-16 23:13 . 2010-12-16 23:13 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Application Data\CheckPoint
2010-12-16 23:12 . 2010-12-17 16:24 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Local Settings\Application Data\Conduit
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\Conduit
2010-12-16 23:12 . 2010-12-17 16:25 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Local Settings\Application Data\ZoneAlarm_Security
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\CheckPoint
2010-12-16 23:12 . 2010-09-02 14:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-12-16 23:12 . 2010-09-02 14:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-12-16 23:11 . 2010-12-16 23:13 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-16 23:11 . 2010-09-02 14:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-16 23:11 . 2010-12-16 23:11 -------- d-----w- c:\program files\Zone Labs
2010-12-16 23:11 . 2010-12-20 22:52 -------- d-----w- c:\windows\Internet Logs
2010-12-16 23:05 . 2010-12-16 23:05 -------- d-----w- c:\program files\ESET
2010-12-16 22:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 22:40 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 20:35 . 2010-12-16 20:35 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Application Data\AdobeUM
2010-12-16 20:26 . 2010-12-16 20:34 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\CheckTrade
2010-12-15 20:24 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-15 20:24 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:42 . 2010-12-14 14:42 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-14 14:40 . 2010-12-14 14:40 0 ----a-w- c:\windows\system32\lsp2.tmp
2010-12-13 13:46 . 2010-12-13 13:46 -------- d-----w- c:\documents and settings\priscilla\IECompatCache
2010-12-10 21:03 . 2010-12-10 21:03 -------- d-----w- c:\documents and settings\NetworkService\IECompatCache
2010-12-10 16:57 . 2010-12-10 16:57 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2010-11-30 23:14 . 2010-12-14 18:48 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-11-30 23:14 . 2010-12-14 18:48 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-11-30 15:06 . 2010-12-13 13:39 0 ----a-w- c:\windows\Pjujoyexamecusu.bin
2010-11-30 15:04 . 2010-11-30 15:04 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 20:21 . 2010-11-16 14:36 3991489 ----a-r- C:\ComboFix.exe
2010-11-18 18:12 . 2006-11-27 01:52 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53 . 2010-11-16 19:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2010-11-16 19:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-02-28 12:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-07-06 16:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP(2).dll
2010-10-05 14:17 . 2009-07-08 22:02 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-10-05 14:17 . 2009-07-08 22:02 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-10-05 14:17 . 2009-07-08 22:02 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2010-10-05 14:17 . 2009-07-08 22:02 87424 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-12-01 16:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2005-08-01 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2006-11-26 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-10-05 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/17/2010 11:50 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/17/2010 11:50 AM 17744]
R2 GlidePoint;GlidePoint Touchpad Client;c:\program files\GlidePoint\glidesvc.exe [3/29/2007 1:37 PM 176128]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [9/2/2010 7:26 AM 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [9/2/2010 7:26 AM 493048]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [11/16/2010 8:58 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [1/11/2008 11:42 AM 54016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [10/3/2007 8:22 AM 44928]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://companyweb/default.aspx
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {562767CA-A896-4230-9033-2AFCC738C9F6} = 192.168.1.2
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxp://map.ezlistmls.com/PUBLICREPORTS/Reserved.ReportViewerWebControl.axd?ExecutionID=p3ite0umofxo3255s3bgrj55&ControlID=355d24a663a848d394531f5479a5996d&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
FF - ProfilePath - c:\documents and settings\priscilla\Application Data\Mozilla\Firefox\Profiles\y75ua62x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 17:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(760)
c:\program files\Bonjour\mdnsNSP.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(3208)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-20 17:57:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-20 22:57
ComboFix2.txt 2010-12-20 22:10

Pre-Run: 45,147,324,416 bytes free
Post-Run: 45,070,422,016 bytes free

- - End Of File - - A575FFB7C1BE2A7CD7DCFA02037E2EA2

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 20 December 2010 - 06:20 PM

Hi :)

You're welcome. :)

Avast! is showing as outdated. Have you tried getting the latest build?

I'm curious.....what's in here? c:\windows\system32\%APPDATA% I'm betting there's something about Whitesmoke, if it isn't empty. Delete it if it is.

Do you use a proxy server? http=127.0.0.1:23012
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Towjumper

Towjumper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 20 December 2010 - 06:31 PM

You were right the %appdata% had whitesmoke files and I deleted them. I am amazed that none of the AV and anti-spy-ware scans I ran found that sub directory.

I do not use a proxy server that I know of... I have a gateway (the MS SBS) and that pulls from a DD-WRT router.

I have installed and removed Avast several time but I think something is blocking it from updating as it fails every time. Could the proxy server have something to do with that?

Best Regards!

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 20 December 2010 - 06:36 PM

Let's fix it then and see :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:23012


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Towjumper

Towjumper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 21 December 2010 - 10:35 AM

Here is the latest Combofix log.

Thanks in advance!
ComboFix 10-12-20.04 - priscilla 12/21/2010 9:42.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -5:00]
Running from: c:\documents and settings\priscilla\Desktop\random2.exe
Command switches used :: c:\documents and settings\priscilla\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
.

2010-12-21 14:18 . 2010-12-21 14:18 -------- d-----w- c:\documents and settings\priscilla\Local Settings\Application Data\Conduit
2010-12-21 14:18 . 2010-12-21 14:18 -------- d-----w- c:\documents and settings\priscilla\Local Settings\Application Data\ZoneAlarm_Security
2010-12-20 19:42 . 2010-12-20 19:42 -------- d-----w- c:\documents and settings\priscilla\Application Data\CheckPoint
2010-12-17 16:50 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-17 16:50 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-17 16:50 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-17 16:50 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-17 16:50 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-17 16:50 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-17 16:50 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-17 16:50 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-17 16:50 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-16 23:13 . 2010-12-16 23:13 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Application Data\CheckPoint
2010-12-16 23:12 . 2010-12-17 16:24 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Local Settings\Application Data\Conduit
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\Conduit
2010-12-16 23:12 . 2010-12-17 16:25 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Local Settings\Application Data\ZoneAlarm_Security
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-12-16 23:12 . 2010-12-16 23:12 -------- d-----w- c:\program files\CheckPoint
2010-12-16 23:12 . 2010-09-02 14:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-12-16 23:12 . 2010-09-02 14:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-12-16 23:11 . 2010-12-16 23:13 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-16 23:11 . 2010-09-02 14:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-16 23:11 . 2010-12-16 23:11 -------- d-----w- c:\program files\Zone Labs
2010-12-16 23:11 . 2010-12-21 14:17 -------- d-----w- c:\windows\Internet Logs
2010-12-16 23:05 . 2010-12-16 23:05 -------- d-----w- c:\program files\ESET
2010-12-16 22:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 22:40 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 20:35 . 2010-12-16 20:35 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\Application Data\AdobeUM
2010-12-16 20:26 . 2010-12-16 20:34 -------- d-----w- c:\documents and settings\administrator.MAGOFFICE\CheckTrade
2010-12-15 20:24 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-15 20:24 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:42 . 2010-12-14 14:42 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-14 14:40 . 2010-12-14 14:40 0 ----a-w- c:\windows\system32\lsp2.tmp
2010-12-13 13:46 . 2010-12-13 13:46 -------- d-----w- c:\documents and settings\priscilla\IECompatCache
2010-12-10 21:03 . 2010-12-10 21:03 -------- d-----w- c:\documents and settings\NetworkService\IECompatCache
2010-12-10 16:57 . 2010-12-10 16:57 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2010-11-30 23:14 . 2010-12-14 18:48 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-11-30 23:14 . 2010-12-14 18:48 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-11-30 15:06 . 2010-12-13 13:39 0 ----a-w- c:\windows\Pjujoyexamecusu.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 20:21 . 2010-11-16 14:36 3991489 ----a-r- C:\ComboFix.exe
2010-11-18 18:12 . 2006-11-27 01:52 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53 . 2010-11-16 19:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2010-11-16 19:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-02-28 12:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-07-06 16:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-05 14:17 . 2009-07-08 22:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP(2).dll
2010-10-05 14:17 . 2009-07-08 22:02 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-10-05 14:17 . 2009-07-08 22:02 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-10-05 14:17 . 2009-07-08 22:02 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2010-10-05 14:17 . 2009-07-08 22:02 87424 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-12-20_22.07.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-21 14:10 . 2010-12-21 14:10 16384 c:\windows\Temp\Perflib_Perfdata_1cc.dat
+ 2009-10-17 07:05 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB974571\update\spcustom.dll
+ 2009-10-17 07:05 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB974571\update\updspapi.dll
+ 2009-10-17 07:05 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB974571\update\update.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-12-01 16:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2005-08-01 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2006-11-26 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-10-05 14:17 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/17/2010 11:50 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/17/2010 11:50 AM 17744]
R2 GlidePoint;GlidePoint Touchpad Client;c:\program files\GlidePoint\glidesvc.exe [3/29/2007 1:37 PM 176128]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [9/2/2010 7:26 AM 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [9/2/2010 7:26 AM 493048]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [11/16/2010 8:58 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [1/11/2008 11:42 AM 54016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [10/3/2007 8:22 AM 44928]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://companyweb/default.aspx
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {562767CA-A896-4230-9033-2AFCC738C9F6} = 192.168.1.2
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxp://map.ezlistmls.com/PUBLICREPORTS/Reserved.ReportViewerWebControl.axd?ExecutionID=p3ite0umofxo3255s3bgrj55&ControlID=355d24a663a848d394531f5479a5996d&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
FF - ProfilePath - c:\documents and settings\priscilla\Application Data\Mozilla\Firefox\Profiles\y75ua62x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-21 09:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(760)
c:\program files\Bonjour\mdnsNSP.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(3240)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-21 09:51:09
ComboFix-quarantined-files.txt 2010-12-21 14:51
ComboFix2.txt 2010-12-21 14:33
ComboFix3.txt 2010-12-20 22:57
ComboFix4.txt 2010-12-20 22:10

Pre-Run: 44,983,513,088 bytes free
Post-Run: 44,966,703,104 bytes free

- - End Of File - - 8F0A60D849F5BF7713D89C375CCF57D4

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 21 December 2010 - 11:53 AM

Hello there,

I have installed and removed Avast several time but I think something is blocking it from updating as it fails every time. Could the proxy server have something to do with that?

Is that fixed now? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users