Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Are WiFi Network Names Protected by the First Amendment?

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Photo

yafraudcheckonline browser hijack + explorer(windows) issues

Started by Stanbridge , Mar 09 2011 08:11 PM

  • This topic is locked This topic is locked
12 replies to this topic

#1 Stanbridge

Stanbridge

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:08:28 AM

Posted 09 March 2011 - 08:11 PM

Hi there,

I was doing some Google image searching online and appear to contracted a browser hijack via an image download!

Since then, I had a LOT of trouble booting back into Windows. Windows would freeze at my wallpaper before loading my desktop icons and start menu. I was able to get past it by disabling a couple of extra "explorer.exe" processes, some process-kill guessing and several restarts. My start bar looks more like a Win98 Start bar now.

Following this, now when I do a Google search, clicking on a result begins to redirect to yafraudcheckonline, at which point I quickly close the browser.

I am running Windows XP Pro SP3, IE8 and CA Anti-Virus.

My DDS is included below and Attach logs is attach. I will attach the GMER log in a separate file because last time I ran it, my PC died and it took ages to get back this far. So if there's a delay between this post and my next that includes GMER log, it's because I'm trying to run it. Like many others no doubt, at this point I am SUPER-DESPERATE! Any help I get get to remove these issues is VERY much appreciated!

EDIT: Ark.log now attached. It was too big to attach directly so I had to ZIP it first. I don't know why it was so big. I followed the instructions in the Preparation Guide (unchecking IAT/EAT and, Non-C Drives and Show All). And yes... it broke my PC towards the end of running it. But it's here now! See attached. Cheers! :)
Thanks very much!!!!


Regards,
Stanbridge


DDS
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 10:35:58.50 on Thu 10/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2264 [GMT 11:00]
.
AV: CA Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: CA Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AutoMate 5\AM5HkWnd.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\AutoMate 5\AutoMate5Svc.exe
C:\SOFTWARE\TimesheetAssistant.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Notepad++\nppIExplorerShell.exe
C:\WINDOWS\system32\wuauclt.exe
C:\temp\AV\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CA Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: CA Anti-Phishing Toolbar: {0123b506-0ad9-43aa-b0cf-916c122ad4c5} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DIMDownloading your update...1285781003180] "c:\program files\corel\coreldraw graphics suite x5\photo-paint\dim.exe" "c:\documents and settings\all users\application data\corel\downloads\540215253_807001\1285781003180\dim_params.xml" -launch=3 -uibase="c:\documents and settings\administrator\application data\corel\messages\540215253_807001\en\messagecache1\workflow"
uRun: [pronto] "c:\program files\wimba\pronto\pronto.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AutoMate5] c:\program files\automate 5\AM5HkWnd.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\custom~1.lnk - c:\program files\ultravnc\vncviewer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timesh~1.lnk - c:\software\TimesheetAssistant.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open With GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://wsus.bne-staff.rpdata.net.au:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://wsus.bne-staff.rpdata.net.au:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1297055890000
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1297055882421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: UmxSbxExw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0flgfuuu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\firefox\components\CAFxToolBar.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0flgfuuu.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: CA Anti-Phishing Toolbar: caaphishtoolbar@ca.com - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\Firefox
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2010-9-24 61008]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2010-9-24 115792]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2011-2-25 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2011-2-25 212992]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2011-2-25 206160]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2010-9-24 146000]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2010-9-24 61008]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2011-2-17 10688]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-23 136176]
S2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2011-3-7 712704]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-03-07 04:09:01 625664 ----a-w- c:\temp\av\dds.scr
2011-03-04 03:06:23 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-03-04 03:06:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 03:06:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-04 03:06:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 03:06:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-04 03:03:33 36744 ----a-w- c:\windows\system32\msdnldr.exe
2011-03-02 00:03:57 -------- d-----w- c:\windows\system32\appmgmt
2011-03-01 23:39:01 -------- d-----w- c:\program files\UltraVNC
2011-03-01 23:29:26 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Installer3224
2011-03-01 23:19:20 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Installer3280
2011-03-01 04:56:35 3080237 ----a-w- c:\windows\system32\Msowc.dll
2011-03-01 04:24:19 -------- d-----w- c:\program files\Cityscope Publications
2011-03-01 04:23:32 74000 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLRES.DLL
2011-03-01 04:23:32 213264 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLPROV.DLL
2011-03-01 04:23:32 127248 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLREC.DLL
2011-03-01 04:23:16 56832 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2DBUI.DLL
2011-03-01 04:23:16 53760 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2QDUI.DLL
2011-03-01 04:23:16 14336 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2DDUI.DLL
2011-03-01 04:23:15 20080 ----a-w- c:\windows\system32\WINSSPI.DLL
2011-03-01 04:23:14 32768 ----a-w- c:\windows\system32\hlinkprx.dll
2011-03-01 04:23:12 68080 ----a-w- c:\windows\system32\DIMM.DLL
2011-03-01 04:22:55 31744 ----a-w- c:\windows\system32\hlp95en.dll
2011-03-01 04:22:55 -------- d-----w- c:\program files\Snapshot Viewer
2011-03-01 02:03:50 -------- d-----w- c:\docume~1\admini~1\applic~1\PrimoPDF
2011-02-28 04:31:07 -------- d-----w- c:\program files\PeerBlock
2011-02-28 03:59:10 -------- d-----w- c:\docume~1\admini~1\applic~1\HorizonWimba
2011-02-28 03:56:22 -------- d-----w- c:\program files\Wimba
2011-02-27 23:03:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-27 23:03:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-27 23:03:12 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-27 23:03:12 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-27 22:11:58 -------- d-----w- c:\docume~1\admini~1\applic~1\UltraVNC
2011-02-25 05:55:11 -------- d-----w- c:\program files\ultravnc(NewButRemoved)
2011-02-25 05:45:57 -------- d-----w- c:\program files\ISSThirdParty
2011-02-25 05:45:47 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-25 05:45:47 201968 ----a-w- c:\windows\system32\Isafprod.dll
2011-02-25 05:45:47 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-25 05:44:36 -------- d-----w- c:\program files\CA
2011-02-25 05:40:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA
2011-02-25 04:28:20 55800 ----a-w- c:\temp\ca stuff\amrt\policystorage\ProductAppSign.exe
2011-02-25 04:28:20 453112 ----a-w- c:\temp\ca stuff\UmxAmrtSettings.dll
2011-02-25 04:28:20 135248 ----a-w- c:\temp\ca stuff\KmxAMRT.sys
2011-02-25 03:54:59 7 ----a-w- c:\windows\system32\mkghj.dll
2011-02-25 03:27:02 1445888 ----a-w- c:\documents and settings\administrator\DesktopWinsockxpFix.exe
2011-02-25 03:26:40 186368 ----a-w- c:\documents and settings\administrator\DesktopLSPFix.exe
2011-02-25 03:26:35 36864 ----a-w- c:\documents and settings\administrator\DesktopSafeMSI.exe
2011-02-24 03:58:26 73728 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut6_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 73728 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut4_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 143360 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut5_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 143360 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\ARPPRODUCTICON.exe
2011-02-24 03:58:20 -------- d-----w- c:\program files\Electric Rain
2011-02-24 03:54:25 -------- d-----w- c:\program files\Serena Software Inc
2011-02-24 03:41:07 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Ahead
2011-02-24 03:35:04 -------- d-----w- c:\program files\Nero
2011-02-24 01:36:48 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-02-24 01:36:43 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-02-24 01:36:15 -------- d-----w- c:\windows\system32\RsFx
2011-02-24 01:33:45 -------- d-----w- c:\program files\Microsoft SQL Server
2011-02-24 01:33:34 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-02-24 01:33:34 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-02-24 01:33:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2011-02-24 01:31:19 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-02-24 01:31:17 -------- d-----w- c:\program files\IIS
2011-02-24 01:30:40 18368 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vsa\9.0\1033\ResourceCache.dll
2011-02-24 01:30:38 2377696 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\visualstudio\10.0\1033\ResourceCache.dll
2011-02-24 01:25:44 -------- d-----w- c:\program files\Microsoft F#
2011-02-24 01:25:44 -------- d-----w- c:\program files\HTML Help Workshop
2011-02-24 01:25:43 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-02-24 01:25:43 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-02-24 01:25:43 -------- d-----w- c:\program files\common files\Merge Modules
2011-02-24 00:31:19 -------- d-----w- c:\program files\common files\Control Panels
2011-02-24 00:12:19 -------- d-----w- c:\program files\MagicISO
2011-02-23 22:58:17 -------- d-----w- c:\windows\pss
2011-02-23 01:22:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\ALM
2011-02-23 01:22:14 -------- d-----w- c:\program files\Bonjour
2011-02-23 01:17:35 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-02-23 00:11:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Qurb4
2011-02-22 23:53:49 -------- d-----w- c:\program files\PowerISO
2011-02-22 23:32:50 50152 ----a-w- c:\program files\windows nt\accessories\imagevue\wangimg.exe
2011-02-22 23:32:50 50152 ----a-w- c:\program files\windows nt\accessories\imagevue\kodakimg.exe
2011-02-22 23:32:48 -------- d-----w- c:\program files\Imaging
2011-02-22 23:32:34 304128 ----a-w- c:\windows\IsUninst.exe
2011-02-22 23:30:13 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Temp
2011-02-22 23:30:09 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Google
2011-02-22 23:13:33 -------- d-----w- c:\program files\GetRight
2011-02-22 22:44:32 -------- d-----w- c:\program files\Mach5 Mailer 4
2011-02-22 21:43:32 -------- d-----w- c:\program files\InstantDemo
2011-02-22 01:17:49 -------- d-----w- c:\program files\common files\Corel
2011-02-22 01:17:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\CorelDRAW Graphics Suite X5
2011-02-22 01:12:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Protexis
2011-02-22 01:08:47 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Axialis
2011-02-22 01:08:44 -------- d-----w- c:\program files\My Company Name
2011-02-22 00:37:16 348256 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vstahost\corelphotopaint\9.0\1033\ResourceCache.dll
2011-02-22 00:37:02 348256 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vstahost\coreldraw\9.0\1033\ResourceCache.dll
2011-02-22 00:36:19 416 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\msdn\9.0\1033\ResourceCache.dll
2011-02-22 00:34:30 -------- d-----w- c:\program files\common files\Protexis
2011-02-22 00:34:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Corel
2011-02-22 00:29:56 -------- d-----w- c:\program files\Corel
2011-02-22 00:13:03 -------- d-----w- c:\documents and settings\administrator\log
2011-02-21 05:37:23 -------- d-----w- c:\windows\Internet Logs
2011-02-21 05:37:00 127376 ----a-w- c:\windows\system32\drivers\dne2000.sys
2011-02-21 05:37:00 101904 ----a-w- c:\windows\system32\dneinobj.dll
2011-02-21 05:36:51 -------- d-----w- c:\program files\Cisco Systems
2011-02-21 05:23:58 -------- d-----w- c:\program files\AutoMate 5
2011-02-21 05:23:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Network Automation
2011-02-21 05:23:51 210000 ----a-w- c:\windows\system32\amsco32.dll
2011-02-21 05:10:10 -------- d-----w- c:\documents and settings\administrator\WINDOWS
2011-02-18 17:00:49 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-02-18 17:00:30 -------- d-----w- c:\program files\MSXML 4.0
2011-02-18 11:43:52 25 ----a-w- C:\testtask.bat
2011-02-18 11:39:57 112616 ----a-w- c:\temp\ra1004.exe
2011-02-18 11:39:55 538624 ----a-w- c:\temp\pim4dearbhla\omnisres.dll
2011-02-18 11:39:52 2595328 ----a-w- c:\temp\pim4dearbhla\OMNIS7.exe
2011-02-18 11:39:52 216576 ----a-w- c:\temp\pim4dearbhla\OMNI2UI.DLL
2011-02-18 11:39:51 953856 ----a-w- c:\temp\pim4dearbhla\DGDSC32.DLL
2011-02-18 11:39:51 20308 ----a-w- c:\temp\pim4dearbhla\O7TK16.DLL
2011-02-18 11:39:51 15872 ----a-w- c:\temp\pim4dearbhla\O7TK32.DLL
2011-02-18 11:39:24 94352 ----a-w- c:\temp\oldtemp2\whitepages annoying files\MHRUN400.DLL
2011-02-18 11:39:24 45108 ----a-w- c:\temp\oldtemp2\whitepages annoying files\WPPD.DLL
2011-02-18 11:39:24 220832 ----a-w- c:\temp\oldtemp2\whitepages annoying files\WPCDAZ.DLL
2011-02-18 11:38:31 112802954 ----a-w- c:\temp\oldtemp2\setupPD.exe
2011-02-18 11:38:17 18389504 ----a-w- c:\temp\oldtemp2\pm\PM_72.exe
2011-02-18 11:26:38 149222 ----a-w- c:\temp\oldtemp2\oldtemp\testingEXEfileLauncher.exe
2011-02-18 11:26:34 7083364 ----a-w- c:\temp\oldtemp2\oldtemp\signwizard\sw51demo.exe
2011-02-18 11:26:33 1849677 ----a-w- c:\temp\oldtemp2\oldtemp\setup patch\setup_patch.exe
2011-02-18 11:26:33 149504 ----a-w- c:\temp\oldtemp2\oldtemp\setup patch\UNWISE.EXE
2011-02-18 11:26:02 20795904 ----a-w- c:\temp\oldtemp2\oldtemp\OnlineStorage.exe
2011-02-18 11:26:00 3026989 ----a-w- c:\temp\oldtemp2\oldtemp\Msowc.dll
2011-02-18 11:25:49 16332072 ----a-w- c:\temp\oldtemp2\oldtemp\msnblock\Install_Messenger_nous.exe
2011-02-18 11:25:41 20752672 ----a-w- c:\temp\oldtemp2\oldtemp\msnblock\automate5540-full.exe
2011-02-18 11:25:23 12754672 ----a-w- c:\temp\oldtemp2\oldtemp\MP10Setup.exe
2011-02-18 11:23:51 5538680 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\macdrive_6.1.5_enu_qtd_setup.exe
2011-02-18 11:23:51 13824 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\dmg2iso.exe
2011-02-18 11:23:50 1511320 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\daemon408-x86.exe
2011-02-18 11:23:23 7168 ----a-w- c:\temp\oldtemp2\oldtemp\COLLauncherQBE.exe
2011-02-18 11:23:15 318558 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\SetupPDF6.exe
2011-02-18 11:23:15 1831840 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\snpvw90.exe
2011-02-18 11:23:12 1380352 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\CSCOMMON.exe
2011-02-18 11:23:11 1274886 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\Client500.exe
2011-02-18 11:23:11 1015808 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\Client495.exe
2011-02-18 11:22:14 50720515 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\setup_upd.exe
2011-02-18 11:21:43 81175064 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\Setup.exe
2011-02-18 11:21:39 1049705 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\DOSBox0[1][1].63-win32-installer.exe
2011-02-18 11:21:19 29058885 ----a-w- c:\temp\oldtemp2\oldtemp\AKsetup_upd.exe
2011-02-18 11:20:51 40693248 ----a-w- c:\temp\oldtemp2\old-sy-updates\SY_95.exe
2011-02-18 11:20:33 40145920 ----a-w- c:\temp\oldtemp2\old-sy-updates\SY_94.exe
2011-02-18 11:19:14 50512131 ----a-w- c:\temp\oldtemp2\MLQIC-setup_upd.exe
2011-02-18 11:19:04 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\SETUP.EXE
2011-02-18 11:19:04 352256 ----a-w- c:\temp\oldtemp2\imagingsoftware\Install.exe
2011-02-18 11:18:59 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\_ISDEL.EXE
2011-02-18 11:18:59 803680 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\axdist.exe
2011-02-18 11:18:59 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\SETUP.EXE
2011-02-18 11:18:59 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\_SETUP.DLL
2011-02-18 11:18:52 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\_ISDEL.EXE
2011-02-18 11:18:52 803680 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\axdist.exe
2011-02-18 11:18:52 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\_SETUP.DLL
2011-02-18 11:18:51 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\_ISDEL.EXE
2011-02-18 11:18:51 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\SETUP.EXE
2011-02-18 11:18:51 151552 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\instsrvr.dll
2011-02-18 11:18:51 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\_SETUP.DLL
2011-02-18 11:17:41 33161216 ----a-w- c:\temp\oldtemp2\eiStreamImaging28.exe
2011-02-18 11:17:20 1897408 ----a-w- c:\temp\oldtemp2\backups\nvidia riva tnt2 model 64 model 64 pro (microsoft corporation)\nv4_mini.sys
2011-02-18 11:17:18 8811 ----a-w- c:\temp\oldtemp2\backups\conexant setup api\SetupSys.sys
2011-02-18 11:17:18 4274816 ----a-w- c:\temp\oldtemp2\backups\nvidia riva tnt2 model 64 model 64 pro (microsoft corporation)\nv4_disp.dll
2011-02-18 11:15:08 149504 ----a-w- c:\temp\melbcityrecd2k\UNWISE.EXE
2011-02-18 11:04:26 563200 ----a-w- c:\temp\melbcityrecd2k\Ads.exe
2011-02-18 11:04:18 153104 ----a-w- c:\temp\ext18866\install.exe
2011-02-18 11:04:18 1065480 ----a-w- c:\temp\ext18866\install.res.dll
2011-02-18 10:51:37 121206136 ----a-w- c:\temp\chris virusfixtools\ca - anti-virus plus (rp data account)\cd files\en\SETUP.EXE
2011-02-18 10:51:36 874292 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\xpboot.exe
2011-02-18 10:51:36 700781 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\task40.exe
2011-02-18 10:51:33 197233 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\rest2514.exe
2011-02-18 10:51:32 553687 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\jv16regc.exe
2011-02-18 10:51:31 1420962 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\jv16ptv1.exe
2011-02-18 10:51:28 477308 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\doscdrom.exe
2011-02-18 10:51:28 1290938 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\drdos703.exe
2011-02-18 10:51:17 27386280 ----a-w- c:\temp\chris virusfixtools\acrobat reader\AdbeRdr920_en_US.exe
2011-02-18 10:50:20 5760288 ----a-w- c:\temp\ar405eng.exe
2011-02-18 08:54:34 339968 ----a-w- c:\windows\system32\hpbicoin.dll
2011-02-18 08:46:02 -------- d-----w- c:\docume~1\admini~1\applic~1\Eqpy
2011-02-18 07:45:30 63 ----a-w- C:\reminder_timesheet.bat
2011-02-18 07:45:30 527 ----a-w- C:\Reset.cmd
2011-02-18 07:01:57 269 ----a-w- C:\ftpdownload.bat
2011-02-18 07:01:57 266 ----a-w- C:\ftpupload.bat
2011-02-18 06:50:40 72 ----a-w- C:\connectme3.bat
2011-02-18 06:50:40 67 ----a-w- C:\connectme2.bat
2011-02-18 06:50:40 266 ----a-w- C:\Copy of ftpupload.bat
2011-02-18 06:50:40 0 ----a-w- C:\connectme.bat
2011-02-17 15:24:48 358 ----a-w- C:\AcrE02B.tmp
2011-02-17 15:24:48 358 ----a-w- C:\Acr334C.tmp
2011-02-17 11:15:54 -------- d-----w- C:\NICKY
2011-02-17 11:14:59 -------- d-----w- C:\== RPDATA ==
2011-02-17 11:14:36 -------- d-----w- C:\== CPM ==
2011-02-17 11:14:22 -------- d-----w- C:\== Cityscope ==
2011-02-17 06:09:23 20672 ----a-w- c:\windows\system32\mv2.dll
2011-02-17 06:09:23 10688 ----a-w- c:\windows\system32\drivers\mv2.sys
2011-02-17 05:40:15 1341176 ----a-w- c:\temp\2010\issdm_ca_en.exe
2011-02-17 05:40:14 144648 ----a-w- c:\temp\2010\removal tool\SupportBridge.exe
2011-02-17 05:30:52 -------- d-----w- c:\windows\system32\winsflte.dl1
2011-02-17 05:30:52 -------- d-----w- c:\windows\system32\winsflt.dl1
2011-02-17 05:29:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA-SupportBridge
2011-02-17 04:18:31 -------- d-----w- c:\program files\FreeFileSync
2011-02-15 19:45:26 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-15 00:52:28 -------- d-----w- c:\windows\system32\winrm
2011-02-15 00:52:24 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-15 00:48:25 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\ApplicationHistory
2011-02-15 00:37:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-15 00:37:56 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-02-15 00:35:51 -------- d-----w- C:\temp
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-07 05:05:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-07 05:05:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD50 rev.12.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A40C439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4127b8]; MOV EAX, [0x8a412834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ADC8AB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A0268B8]
\Driver\iastor[0x8A42A558] -> IRP_MJ_CREATE -> 0x8A40C439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD5000AAKS-75TMA0___________________12.01C01#4&d9859c0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 976773166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 10:37:47.93 ===============

Attached Files


Edited by Stanbridge, 09 March 2011 - 09:34 PM.

BC AdBot (Login to Remove)

 

#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:28 PM

Posted 09 March 2011 - 10:05 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

#3 Stanbridge

Stanbridge
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:08:28 AM

Posted 10 March 2011 - 01:18 AM

Thanks CatByte! Much appreciated. Here's the ComboFix log.txt...

Cheers


ComboFix 11-03-09.02 - Administrator 10/03/2011 16:44:55.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2647 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
FW: CA Personal Firewall *Disabled* {38102F93-1B6E-4922-90E1-A35D8DC6DAA3}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Adobe\plugs
C:\index.htm
C:\Thumbs.db
c:\windows\system32\mkghj.dll
c:\windows\winhelp.ini
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-10 04:52 . 2011-03-10 04:53 -------- d-----w- C:\32788R22FWJFW
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-04 03:06 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-04 03:06 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 03:03 . 2011-03-04 03:04 36744 ----a-w- c:\windows\system32\msdnldr.exe
2011-03-04 03:00 . 2011-03-04 03:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-04 03:00 . 2011-03-04 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-01 23:39 . 2011-03-07 04:05 -------- d-----w- c:\program files\UltraVNC
2011-03-01 23:29 . 2011-03-01 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Installer3224
2011-03-01 23:19 . 2011-03-01 23:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Installer3280
2011-03-01 04:56 . 1999-03-11 16:44 3080237 ----a-w- c:\windows\system32\Msowc.dll
2011-03-01 04:24 . 2011-03-01 04:24 -------- d-----w- c:\program files\Cityscope Publications
2011-03-01 04:23 . 1998-11-12 18:25 74000 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLRES.DLL
2011-03-01 04:23 . 1998-11-12 18:25 127248 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLREC.DLL
2011-03-01 04:23 . 1998-11-12 18:25 213264 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLPROV.DLL
2011-03-01 04:23 . 1998-06-30 08:26 53760 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2QDUI.DLL
2011-03-01 04:23 . 1998-06-30 08:26 56832 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2DBUI.DLL
2011-03-01 04:23 . 1998-06-30 08:26 14336 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2DDUI.DLL
2011-03-01 04:23 . 1998-03-13 07:22 20080 ----a-w- c:\windows\system32\WINSSPI.DLL
2011-03-01 04:23 . 1998-08-31 04:05 32768 ----a-w- c:\windows\system32\hlinkprx.dll
2011-03-01 04:23 . 1998-04-03 08:12 68080 ----a-w- c:\windows\system32\DIMM.DLL
2011-03-01 04:22 . 2011-03-01 04:23 -------- d-----w- c:\program files\Snapshot Viewer
2011-03-01 04:22 . 1997-08-18 13:00 31744 ----a-w- c:\windows\system32\hlp95en.dll
2011-03-01 02:03 . 2011-03-01 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\PrimoPDF
2011-02-28 04:48 . 2008-04-14 07:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-28 04:31 . 2011-03-02 03:04 -------- d-----w- c:\program files\PeerBlock
2011-02-28 03:59 . 2011-02-28 03:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\HorizonWimba
2011-02-28 03:56 . 2011-02-28 03:56 -------- d-----w- c:\program files\Wimba
2011-02-28 03:00 . 2011-02-28 03:00 -------- d-----w- c:\windows\Sun
2011-02-27 23:03 . 2008-04-13 18:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-27 23:03 . 2008-04-13 18:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-27 23:03 . 2008-04-13 13:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-27 23:03 . 2008-04-13 13:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-27 22:11 . 2011-03-01 22:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\UltraVNC
2011-02-25 05:55 . 2011-03-01 22:49 -------- d-----w- c:\program files\ultravnc(NewButRemoved)
2011-02-25 05:45 . 2011-02-25 05:49 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-25 05:45 . 2011-02-25 05:49 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-25 05:44 . 2011-02-25 05:45 -------- d-----w- c:\program files\CA
2011-02-25 05:40 . 2011-02-25 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2011-02-25 03:27 . 2011-02-25 03:27 1445888 ----a-w- c:\documents and settings\Administrator\DesktopWinsockxpFix.exe
2011-02-25 03:26 . 2011-02-25 03:26 186368 ----a-w- c:\documents and settings\Administrator\DesktopLSPFix.exe
2011-02-25 03:26 . 2011-02-25 03:26 36864 ----a-w- c:\documents and settings\Administrator\DesktopSafeMSI.exe
2011-02-24 03:58 . 2011-02-24 03:58 73728 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut6_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 73728 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut4_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 143360 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut5_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 143360 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\ARPPRODUCTICON.exe
2011-02-24 03:58 . 2011-02-24 03:58 -------- d-----w- c:\program files\Electric Rain
2011-02-24 03:56 . 2011-02-24 03:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Notepad++
2011-02-24 03:56 . 2011-02-24 03:56 -------- d-----w- c:\program files\Notepad++
2011-02-24 03:54 . 2011-02-24 03:54 -------- d-----w- c:\program files\Serena Software Inc
2011-02-24 03:41 . 2011-02-24 03:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\program files\Common Files\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\program files\Nero
2011-02-24 01:36 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-02-24 01:36 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-02-24 01:36 . 2011-02-24 01:36 -------- d-----w- c:\windows\system32\RsFx
2011-02-24 01:33 . 2011-02-24 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2011-02-24 01:31 . 2011-02-24 01:31 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-02-24 01:31 . 2011-02-24 01:31 -------- d-----w- c:\program files\IIS
2011-02-24 01:30 . 2011-02-24 01:30 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-02-24 01:30 . 2011-02-24 01:39 2377696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-24 01:25 . 2011-02-24 01:25 -------- d-----w- c:\windows\symbols
2011-02-24 01:25 . 2011-02-24 01:28 -------- d-----w- c:\program files\Microsoft F#
2011-02-24 01:25 . 2011-02-24 01:26 -------- d-----w- c:\program files\HTML Help Workshop
2011-02-24 01:25 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-02-24 01:25 . 2011-02-24 01:28 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-02-24 01:25 . 2011-02-24 01:25 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-02-24 00:31 . 2011-02-24 00:31 -------- d-----w- c:\program files\Common Files\Control Panels
2011-02-24 00:16 . 2011-02-24 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-02-24 00:12 . 2011-02-24 00:12 -------- d-----w- c:\program files\MagicISO
2011-02-23 01:22 . 2011-02-23 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2011-02-23 01:22 . 2011-02-23 01:22 -------- d-----w- c:\program files\Bonjour
2011-02-23 01:17 . 2011-02-23 01:17 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-02-23 00:11 . 2011-02-23 00:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Qurb4
2011-02-22 23:53 . 2011-02-22 23:53 -------- d-----w- c:\program files\PowerISO
2011-02-22 23:35 . 2011-02-22 23:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-02-22 23:32 . 2003-08-27 04:35 50152 ----a-w- c:\program files\Windows NT\Accessories\ImageVue\wangimg.exe
2011-02-22 23:32 . 2003-08-27 04:35 50152 ----a-w- c:\program files\Windows NT\Accessories\ImageVue\kodakimg.exe
2011-02-22 23:32 . 2011-02-22 23:32 -------- d-----w- c:\program files\Imaging
2011-02-22 23:32 . 1997-12-17 09:33 304128 ----a-w- c:\windows\IsUninst.exe
2011-02-22 23:30 . 2011-02-25 04:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-02-22 23:30 . 2011-02-22 23:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-02-22 23:30 . 2011-02-28 22:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-02-22 23:30 . 2011-02-22 23:30 -------- d-----w- c:\program files\Google
2011-02-22 23:14 . 2011-02-22 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-02-22 23:13 . 2011-02-22 23:13 -------- d-----w- c:\program files\GetRight
2011-02-22 22:44 . 2011-02-22 22:44 -------- d-----w- c:\program files\Mach5 Mailer 4
2011-02-22 21:43 . 2011-02-22 21:43 -------- d-----w- c:\program files\InstantDemo
2011-02-22 05:41 . 2011-03-08 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
2011-02-22 05:41 . 2011-02-22 05:41 -------- d-----w- c:\program files\FileZilla FTP Client
2011-02-22 01:17 . 2011-02-22 01:17 -------- d-----w- c:\program files\Common Files\Corel
2011-02-22 01:12 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2011-02-22 01:12 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel
2011-02-22 01:08 . 2011-02-22 01:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Axialis
2011-02-22 01:08 . 2011-02-22 01:08 -------- d-----w- c:\program files\My Company Name
2011-02-22 00:37 . 2011-02-22 00:37 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelPHOTOPAINT\9.0\1033\ResourceCache.dll
2011-02-22 00:37 . 2011-02-22 00:37 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelDRAW\9.0\1033\ResourceCache.dll
2011-02-22 00:36 . 2011-02-22 00:36 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-02-22 00:35 . 2011-02-24 01:32 -------- d-----w- c:\program files\Microsoft SDKs
2011-02-22 00:35 . 2011-02-22 00:35 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2011-02-22 00:34 . 2011-02-22 00:34 -------- d-----w- c:\program files\Common Files\Protexis
2011-02-22 00:34 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2011-02-22 00:29 . 2011-02-22 00:29 -------- d-----w- c:\program files\Corel
2011-02-22 00:13 . 2011-02-22 00:13 -------- d-----w- c:\documents and settings\Administrator\log
2011-02-21 05:37 . 2011-02-21 05:55 -------- d-----w- c:\windows\Internet Logs
2011-02-21 05:37 . 2007-01-31 03:45 101904 ----a-w- c:\windows\system32\dneinobj.dll
2011-02-21 05:37 . 2007-01-31 03:45 127376 ----a-w- c:\windows\system32\drivers\dne2000.sys
2011-02-21 05:36 . 2011-02-21 05:36 -------- d-----w- c:\program files\Cisco Systems
2011-02-21 05:23 . 2011-02-21 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Automation
2011-02-21 05:23 . 2011-02-21 05:24 -------- d-----w- c:\program files\AutoMate 5
2011-02-21 05:23 . 2011-02-21 05:23 210000 ----a-w- c:\windows\system32\amsco32.dll
2011-02-21 05:10 . 2011-02-21 05:10 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
2011-02-18 17:00 . 2011-02-18 17:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-02-18 17:00 . 2011-02-18 17:00 -------- d-----w- c:\program files\MSXML 4.0
2011-02-18 11:43 . 2007-12-12 23:13 25 ----a-w- C:\testtask.bat
2011-02-18 08:54 . 2006-10-27 00:12 339968 ----a-w- c:\windows\system32\hpbicoin.dll
2011-02-18 08:46 . 2011-03-04 04:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Eqpy
2011-02-18 07:45 . 2009-10-12 01:40 63 ----a-w- C:\reminder_timesheet.bat
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 07:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 07:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-07 05:05 . 2011-02-07 05:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-07 05:05 . 2011-02-07 05:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-02-02 07:58 . 2011-02-07 03:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2011-02-07 03:55 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 07:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 07:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 07:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 07:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 07:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 07:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 07:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"DIMDownloading your update...1285781003180"="c:\program files\Corel\CorelDRAW Graphics Suite X5\PHOTO-PAINT\DIM.exe" [2010-05-21 95592]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2011-02-28 2356088]
"pronto"="c:\program files\Wimba\Pronto\pronto.exe" [2010-04-13 15319688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-09-23 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"AutoMate5"="c:\program files\AutoMate 5\AM5HkWnd.exe" [2005-06-27 2859520]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
apnuh.exe [2011-3-4 232960]
ocdet.exe [2011-3-4 232960]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CUSTOMER HELPDESK.lnk - c:\program files\UltraVNC\vncviewer.exe [2011-3-7 749568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Timesheet Assistant.lnk - c:\software\TimesheetAssistant.exe [2011-2-18 301709]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-23 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 04:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\UmxSbxExw.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
.
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [8/06/2009 10:02 AM 108024]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [23/12/2009 11:29 AM 78840]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [7/03/2011 3:03 PM 712704]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [30/09/2009 4:51 PM 239608]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [17/02/2011 5:09 PM 10688]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/02/2011 10:30 AM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 6:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [23/07/2009 2:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 23:30]
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 23:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open With GetRight Browser - c:\program files\GetRight\GRbrowse.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0flgfuuu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{0123B506-0AD9-43AA-B0CF-916C122AD4C5} - (no file)
HKLM-Run-cctray - c:\program files\CA\CA Internet Security Suite\casc.exe
HKLM-Run-capfupgrade - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-10 17:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD50 rev.12.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A416439]<<
c:\docume~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a41c7b8]; MOV EAX, [0x8a41c834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ADC8030]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8ADF9168]
\Driver\iastor[0x8ADC6780] -> IRP_MJ_CREATE -> 0x8A416439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD5000AAKS-75TMA0___________________12.01C01#4&d9859c0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 976773166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-2077806209-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,b6,a2,4f,ba,8c,f4,4f,9c,1c,bf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,b6,a2,4f,ba,8c,f4,4f,9c,1c,bf,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\WININET.dll
c:\windows\system32\UmxWnp.Dll
c:\windows\system32\msi.dll
.
- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-10 17:09:07
ComboFix-quarantined-files.txt 2011-03-10 06:09
ComboFix2.txt 2011-01-31 03:14
.
Pre-Run: 201,751,060,480 bytes free
Post-Run: 204,315,676,672 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - F721AB54247022C611F7D00FFB5D49D3

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:28 PM

Posted 10 March 2011 - 07:46 AM

Hi

Please do the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT

Please re-run ComboFix (allow it to update if it requests to do so) post the resulting log.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

#5 Stanbridge

Stanbridge
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:08:28 AM

Posted 10 March 2011 - 05:47 PM

TDSKiller and ComboFix logs below. When I ran ComboFix (after TDSKiller) it popped up a message saying it "Detected presence of rootkit and needs to restart". On clicking OK, it restarted and then completed "completing it's stages". Probably normal sequence here, just mentioning it in case it's of any significance.

Thanks again!


TDS Killer
2011/03/11 08:52:25.0671 1916 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/11 08:52:26.0218 1916 ================================================================================
2011/03/11 08:52:26.0218 1916 SystemInfo:
2011/03/11 08:52:26.0218 1916
2011/03/11 08:52:26.0218 1916 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/11 08:52:26.0218 1916 Product type: Workstation
2011/03/11 08:52:26.0218 1916 ComputerName: CHRIS-JACKS
2011/03/11 08:52:26.0218 1916 UserName: Administrator
2011/03/11 08:52:26.0218 1916 Windows directory: C:\WINDOWS
2011/03/11 08:52:26.0218 1916 System windows directory: C:\WINDOWS
2011/03/11 08:52:26.0218 1916 Processor architecture: Intel x86
2011/03/11 08:52:26.0218 1916 Number of processors: 4
2011/03/11 08:52:26.0218 1916 Page size: 0x1000
2011/03/11 08:52:26.0218 1916 Boot type: Normal boot
2011/03/11 08:52:26.0218 1916 ================================================================================
2011/03/11 08:52:26.0343 1916 Initialize success
2011/03/11 08:52:59.0312 2076 ================================================================================
2011/03/11 08:52:59.0312 2076 Scan started
2011/03/11 08:52:59.0312 2076 Mode: Manual;
2011/03/11 08:52:59.0312 2076 ================================================================================
2011/03/11 08:52:59.0921 2076 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/11 08:52:59.0968 2076 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/11 08:53:00.0015 2076 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/11 08:53:00.0093 2076 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/11 08:53:00.0218 2076 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/11 08:53:00.0250 2076 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
2011/03/11 08:53:00.0265 2076 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/11 08:53:00.0343 2076 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/11 08:53:00.0406 2076 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/11 08:53:00.0484 2076 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/11 08:53:00.0531 2076 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/11 08:53:00.0531 2076 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/11 08:53:00.0546 2076 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/11 08:53:00.0671 2076 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/03/11 08:53:00.0703 2076 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/11 08:53:00.0765 2076 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/11 08:53:00.0796 2076 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/11 08:53:00.0843 2076 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/11 08:53:00.0859 2076 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/11 08:53:00.0875 2076 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/11 08:53:00.0921 2076 e1express (17aaca24903e6d5faece3c35de01d3dd) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/03/11 08:53:00.0984 2076 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/11 08:53:01.0015 2076 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/11 08:53:01.0031 2076 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/11 08:53:01.0046 2076 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/11 08:53:01.0078 2076 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/11 08:53:01.0093 2076 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/11 08:53:01.0140 2076 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/11 08:53:01.0140 2076 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/11 08:53:01.0156 2076 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/11 08:53:01.0171 2076 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/11 08:53:01.0250 2076 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/11 08:53:01.0296 2076 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/03/11 08:53:01.0375 2076 iastor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\drivers\iastor.sys
2011/03/11 08:53:01.0375 2076 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/11 08:53:01.0437 2076 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/11 08:53:01.0484 2076 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/11 08:53:01.0500 2076 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/11 08:53:01.0515 2076 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/11 08:53:01.0546 2076 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/11 08:53:01.0562 2076 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/11 08:53:01.0609 2076 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/11 08:53:01.0625 2076 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/11 08:53:01.0671 2076 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/11 08:53:01.0703 2076 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/11 08:53:01.0750 2076 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/11 08:53:01.0796 2076 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/11 08:53:01.0859 2076 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/11 08:53:01.0875 2076 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/11 08:53:01.0890 2076 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/11 08:53:01.0906 2076 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/11 08:53:01.0906 2076 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/11 08:53:01.0921 2076 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/11 08:53:01.0968 2076 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/11 08:53:02.0000 2076 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/11 08:53:02.0031 2076 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/11 08:53:02.0062 2076 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/11 08:53:02.0078 2076 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/11 08:53:02.0093 2076 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/11 08:53:02.0109 2076 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/11 08:53:02.0156 2076 mv2 (a0f0b16316276017e682410b5612a707) C:\WINDOWS\system32\DRIVERS\mv2.sys
2011/03/11 08:53:02.0171 2076 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/11 08:53:02.0171 2076 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/11 08:53:02.0187 2076 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/11 08:53:02.0203 2076 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/11 08:53:02.0265 2076 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/11 08:53:02.0281 2076 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/11 08:53:02.0296 2076 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/11 08:53:02.0312 2076 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/11 08:53:02.0343 2076 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/11 08:53:02.0406 2076 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/11 08:53:02.0640 2076 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/11 08:53:02.0843 2076 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/11 08:53:02.0843 2076 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/11 08:53:02.0890 2076 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/11 08:53:02.0906 2076 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/11 08:53:02.0937 2076 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/11 08:53:02.0953 2076 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/11 08:53:03.0015 2076 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/11 08:53:03.0078 2076 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/11 08:53:03.0093 2076 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/11 08:53:03.0171 2076 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/11 08:53:03.0218 2076 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/11 08:53:03.0234 2076 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/11 08:53:03.0250 2076 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/11 08:53:03.0250 2076 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/11 08:53:03.0265 2076 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/11 08:53:03.0281 2076 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/11 08:53:03.0328 2076 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/11 08:53:03.0359 2076 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/11 08:53:03.0437 2076 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/11 08:53:03.0515 2076 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\WINDOWS\system32\DRIVERS\RsFx0103.sys
2011/03/11 08:53:03.0593 2076 SCDEmu (ee7a1b6e155258288d99be61190e1112) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/03/11 08:53:03.0625 2076 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/11 08:53:03.0640 2076 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/03/11 08:53:03.0703 2076 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/11 08:53:03.0781 2076 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/11 08:53:03.0828 2076 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/11 08:53:03.0859 2076 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/11 08:53:03.0921 2076 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
2011/03/11 08:53:03.0937 2076 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/11 08:53:03.0953 2076 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/11 08:53:04.0031 2076 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/11 08:53:04.0078 2076 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/11 08:53:04.0093 2076 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/11 08:53:04.0109 2076 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/11 08:53:04.0109 2076 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/11 08:53:04.0218 2076 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/11 08:53:04.0265 2076 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/11 08:53:04.0359 2076 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/11 08:53:04.0406 2076 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/11 08:53:04.0421 2076 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/11 08:53:04.0468 2076 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/11 08:53:04.0515 2076 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/11 08:53:04.0531 2076 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/11 08:53:04.0546 2076 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/11 08:53:04.0562 2076 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/11 08:53:04.0640 2076 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/11 08:53:04.0703 2076 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/11 08:53:04.0750 2076 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/11 08:53:04.0765 2076 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/11 08:53:04.0812 2076 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/11 08:53:04.0812 2076 ================================================================================
2011/03/11 08:53:04.0812 2076 Scan finished
2011/03/11 08:53:04.0812 2076 ================================================================================
2011/03/11 08:53:04.0812 3984 Detected object count: 1
2011/03/11 08:53:25.0062 3984 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/11 08:53:25.0062 3984 \HardDisk0 - ok
2011/03/11 08:53:25.0062 3984 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/11 08:54:00.0000 3752 Deinitialize success




ComboFix
ComboFix 11-03-10.01 - Administrator 11/03/2011 9:08.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2643 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
FW: CA Personal Firewall *Disabled* {38102F93-1B6E-4922-90E1-A35D8DC6DAA3}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-04 03:06 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-04 03:06 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 03:03 . 2011-03-04 03:04 36744 ----a-w- c:\windows\system32\msdnldr.exe
2011-03-04 03:00 . 2011-03-04 03:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-04 03:00 . 2011-03-04 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-01 23:39 . 2011-03-07 04:05 -------- d-----w- c:\program files\UltraVNC
2011-03-01 23:29 . 2011-03-01 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Installer3224
2011-03-01 23:19 . 2011-03-01 23:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Installer3280
2011-03-01 04:56 . 1999-03-11 16:44 3080237 ----a-w- c:\windows\system32\Msowc.dll
2011-03-01 04:24 . 2011-03-01 04:24 -------- d-----w- c:\program files\Cityscope Publications
2011-03-01 04:23 . 1998-11-12 18:25 74000 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLRES.DLL
2011-03-01 04:23 . 1998-11-12 18:25 127248 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLREC.DLL
2011-03-01 04:23 . 1998-11-12 18:25 213264 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLPROV.DLL
2011-03-01 04:23 . 1998-06-30 08:26 53760 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2QDUI.DLL
2011-03-01 04:23 . 1998-06-30 08:26 56832 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2DBUI.DLL
2011-03-01 04:23 . 1998-06-30 08:26 14336 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2DDUI.DLL
2011-03-01 04:23 . 1998-03-13 07:22 20080 ----a-w- c:\windows\system32\WINSSPI.DLL
2011-03-01 04:23 . 1998-08-31 04:05 32768 ----a-w- c:\windows\system32\hlinkprx.dll
2011-03-01 04:23 . 1998-04-03 08:12 68080 ----a-w- c:\windows\system32\DIMM.DLL
2011-03-01 04:22 . 2011-03-01 04:23 -------- d-----w- c:\program files\Snapshot Viewer
2011-03-01 04:22 . 1997-08-18 13:00 31744 ----a-w- c:\windows\system32\hlp95en.dll
2011-03-01 02:03 . 2011-03-01 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\PrimoPDF
2011-02-28 04:48 . 2008-04-14 07:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-28 04:31 . 2011-03-02 03:04 -------- d-----w- c:\program files\PeerBlock
2011-02-28 03:59 . 2011-02-28 03:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\HorizonWimba
2011-02-28 03:56 . 2011-02-28 03:56 -------- d-----w- c:\program files\Wimba
2011-02-28 03:00 . 2011-02-28 03:00 -------- d-----w- c:\windows\Sun
2011-02-27 23:03 . 2008-04-13 18:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-27 23:03 . 2008-04-13 18:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-27 23:03 . 2008-04-13 13:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-27 23:03 . 2008-04-13 13:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-27 22:11 . 2011-03-01 22:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\UltraVNC
2011-02-25 05:55 . 2011-03-01 22:49 -------- d-----w- c:\program files\ultravnc(NewButRemoved)
2011-02-25 05:45 . 2011-02-25 05:49 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-25 05:45 . 2011-02-25 05:49 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-25 05:44 . 2011-02-25 05:45 -------- d-----w- c:\program files\CA
2011-02-25 05:40 . 2011-02-25 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2011-02-25 03:27 . 2011-02-25 03:27 1445888 ----a-w- c:\documents and settings\Administrator\DesktopWinsockxpFix.exe
2011-02-25 03:26 . 2011-02-25 03:26 186368 ----a-w- c:\documents and settings\Administrator\DesktopLSPFix.exe
2011-02-25 03:26 . 2011-02-25 03:26 36864 ----a-w- c:\documents and settings\Administrator\DesktopSafeMSI.exe
2011-02-24 03:58 . 2011-02-24 03:58 73728 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut6_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 73728 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut4_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 143360 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut5_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 143360 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\ARPPRODUCTICON.exe
2011-02-24 03:58 . 2011-02-24 03:58 -------- d-----w- c:\program files\Electric Rain
2011-02-24 03:56 . 2011-02-24 03:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Notepad++
2011-02-24 03:56 . 2011-02-24 03:56 -------- d-----w- c:\program files\Notepad++
2011-02-24 03:54 . 2011-02-24 03:54 -------- d-----w- c:\program files\Serena Software Inc
2011-02-24 03:41 . 2011-02-24 03:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\program files\Common Files\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\program files\Nero
2011-02-24 01:36 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-02-24 01:36 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-02-24 01:36 . 2011-02-24 01:36 -------- d-----w- c:\windows\system32\RsFx
2011-02-24 01:33 . 2011-02-24 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2011-02-24 01:31 . 2011-02-24 01:31 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-02-24 01:31 . 2011-02-24 01:31 -------- d-----w- c:\program files\IIS
2011-02-24 01:30 . 2011-02-24 01:30 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-02-24 01:30 . 2011-02-24 01:39 2377696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-24 01:25 . 2011-02-24 01:25 -------- d-----w- c:\windows\symbols
2011-02-24 01:25 . 2011-02-24 01:28 -------- d-----w- c:\program files\Microsoft F#
2011-02-24 01:25 . 2011-02-24 01:26 -------- d-----w- c:\program files\HTML Help Workshop
2011-02-24 01:25 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-02-24 01:25 . 2011-02-24 01:28 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-02-24 01:25 . 2011-02-24 01:25 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-02-24 00:31 . 2011-02-24 00:31 -------- d-----w- c:\program files\Common Files\Control Panels
2011-02-24 00:16 . 2011-02-24 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-02-24 00:12 . 2011-02-24 00:12 -------- d-----w- c:\program files\MagicISO
2011-02-23 01:22 . 2011-02-23 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2011-02-23 01:22 . 2011-02-23 01:22 -------- d-----w- c:\program files\Bonjour
2011-02-23 01:17 . 2011-02-23 01:17 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-02-23 00:11 . 2011-02-23 00:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Qurb4
2011-02-22 23:53 . 2011-02-22 23:53 -------- d-----w- c:\program files\PowerISO
2011-02-22 23:35 . 2011-02-22 23:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-02-22 23:32 . 2003-08-27 04:35 50152 ----a-w- c:\program files\Windows NT\Accessories\ImageVue\wangimg.exe
2011-02-22 23:32 . 2003-08-27 04:35 50152 ----a-w- c:\program files\Windows NT\Accessories\ImageVue\kodakimg.exe
2011-02-22 23:32 . 2011-02-22 23:32 -------- d-----w- c:\program files\Imaging
2011-02-22 23:32 . 1997-12-17 09:33 304128 ----a-w- c:\windows\IsUninst.exe
2011-02-22 23:30 . 2011-02-25 04:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-02-22 23:30 . 2011-02-22 23:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-02-22 23:30 . 2011-02-28 22:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-02-22 23:30 . 2011-02-22 23:30 -------- d-----w- c:\program files\Google
2011-02-22 23:14 . 2011-02-22 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-02-22 23:13 . 2011-02-22 23:13 -------- d-----w- c:\program files\GetRight
2011-02-22 22:44 . 2011-02-22 22:44 -------- d-----w- c:\program files\Mach5 Mailer 4
2011-02-22 21:43 . 2011-02-22 21:43 -------- d-----w- c:\program files\InstantDemo
2011-02-22 05:41 . 2011-03-08 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
2011-02-22 05:41 . 2011-02-22 05:41 -------- d-----w- c:\program files\FileZilla FTP Client
2011-02-22 01:17 . 2011-02-22 01:17 -------- d-----w- c:\program files\Common Files\Corel
2011-02-22 01:12 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2011-02-22 01:12 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel
2011-02-22 01:08 . 2011-02-22 01:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Axialis
2011-02-22 01:08 . 2011-02-22 01:08 -------- d-----w- c:\program files\My Company Name
2011-02-22 00:37 . 2011-02-22 00:37 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelPHOTOPAINT\9.0\1033\ResourceCache.dll
2011-02-22 00:37 . 2011-02-22 00:37 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelDRAW\9.0\1033\ResourceCache.dll
2011-02-22 00:36 . 2011-02-22 00:36 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-02-22 00:35 . 2011-02-24 01:32 -------- d-----w- c:\program files\Microsoft SDKs
2011-02-22 00:35 . 2011-02-22 00:35 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2011-02-22 00:34 . 2011-02-22 00:34 -------- d-----w- c:\program files\Common Files\Protexis
2011-02-22 00:34 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2011-02-22 00:29 . 2011-02-22 00:29 -------- d-----w- c:\program files\Corel
2011-02-22 00:13 . 2011-02-22 00:13 -------- d-----w- c:\documents and settings\Administrator\log
2011-02-21 05:37 . 2011-02-21 05:55 -------- d-----w- c:\windows\Internet Logs
2011-02-21 05:37 . 2007-01-31 03:45 101904 ----a-w- c:\windows\system32\dneinobj.dll
2011-02-21 05:37 . 2007-01-31 03:45 127376 ----a-w- c:\windows\system32\drivers\dne2000.sys
2011-02-21 05:36 . 2011-02-21 05:36 -------- d-----w- c:\program files\Cisco Systems
2011-02-21 05:23 . 2011-02-21 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Automation
2011-02-21 05:23 . 2011-02-21 05:24 -------- d-----w- c:\program files\AutoMate 5
2011-02-21 05:23 . 2011-02-21 05:23 210000 ----a-w- c:\windows\system32\amsco32.dll
2011-02-21 05:10 . 2011-02-21 05:10 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
2011-02-18 17:00 . 2011-02-18 17:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-02-18 17:00 . 2011-02-18 17:00 -------- d-----w- c:\program files\MSXML 4.0
2011-02-18 11:43 . 2007-12-12 23:13 25 ----a-w- C:\testtask.bat
2011-02-18 08:54 . 2006-10-27 00:12 339968 ----a-w- c:\windows\system32\hpbicoin.dll
2011-02-18 08:46 . 2011-03-04 04:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Eqpy
2011-02-18 07:45 . 2009-10-12 01:40 63 ----a-w- C:\reminder_timesheet.bat
2011-02-18 07:45 . 2008-10-20 22:21 527 ----a-w- C:\Reset.cmd
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 07:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 07:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-07 05:05 . 2011-02-07 05:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-07 05:05 . 2011-02-07 05:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-02-02 07:58 . 2011-02-07 03:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2011-02-07 03:55 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 07:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 07:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 07:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 07:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 07:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 07:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 07:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-10_06.04.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-10 22:08 . 2011-03-10 22:08 16384 c:\windows\Temp\Perflib_Perfdata_784.dat
+ 2011-03-07 03:47 . 2011-03-10 16:00 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
- 2011-03-07 03:47 . 2011-03-09 16:00 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2011-03-10 21:54 . 2011-03-10 21:54 58672 c:\windows\Installer\{166478EA-A017-43C0-BE42-7560BD5A646B}\ARPPRODUCTICON.exe
- 2011-02-25 05:46 . 2011-02-25 05:46 58672 c:\windows\Installer\{166478EA-A017-43C0-BE42-7560BD5A646B}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"DIMDownloading your update...1285781003180"="c:\program files\Corel\CorelDRAW Graphics Suite X5\PHOTO-PAINT\DIM.exe" [2010-05-21 95592]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2011-02-28 2356088]
"pronto"="c:\program files\Wimba\Pronto\pronto.exe" [2010-04-13 15319688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-09-23 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"AutoMate5"="c:\program files\AutoMate 5\AM5HkWnd.exe" [2005-06-27 2859520]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
apnuh.exe [2011-3-4 232960]
ocdet.exe [2011-3-4 232960]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CUSTOMER HELPDESK.lnk - c:\program files\UltraVNC\vncviewer.exe [2011-3-7 749568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Timesheet Assistant.lnk - c:\software\TimesheetAssistant.exe [2011-2-18 301709]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-23 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 04:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\UmxSbxExw.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
.
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [8/06/2009 10:02 AM 108024]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [23/12/2009 11:29 AM 78840]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [7/03/2011 3:03 PM 712704]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [30/09/2009 4:51 PM 239608]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [17/02/2011 5:09 PM 10688]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/02/2011 10:30 AM 136176]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/08/2009 10:42 AM 887288]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [27/07/2009 3:40 PM 227832]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 6:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [23/07/2009 2:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 23:30]
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 23:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open With GetRight Browser - c:\program files\GetRight\GRbrowse.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0flgfuuu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-11 09:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-2077806209-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,b6,a2,4f,ba,8c,f4,4f,9c,1c,bf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,b6,a2,4f,ba,8c,f4,4f,9c,1c,bf,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\UmxWnp.Dll
c:\windows\system32\msi.dll
.
Completion time: 2011-03-11 09:27:18
ComboFix-quarantined-files.txt 2011-03-10 22:27
ComboFix2.txt 2011-01-31 03:14
.
Pre-Run: 204,250,701,824 bytes free
Post-Run: 204,249,845,760 bytes free
.
- - End Of File - - 4AFB474B3EE6DA107E698016DA65CACD

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:28 PM

Posted 11 March 2011 - 09:18 AM

Hi,

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic384186.html/page__view__findpost__p__2164271

Folder::
c:\documents and settings\Administrator\Application Data\Eqpy

Collect::
c:\documents and settings\Default User\Start Menu\Programs\Startup\apnuh.exe 
c:\documents and settings\Default User\Start Menu\Programs\Startup\ocdet.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

#7 Stanbridge

Stanbridge
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:08:28 AM

Posted 14 March 2011 - 12:17 AM

Hi again CatByte,

Below are the reports as requested.

A quick note re your instructions (to make sure I still did everything correctly). With regards to...

•Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
•ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
•When finished, it shall produce a log for you.
•Copy and paste the contents of the log in your next reply.


After dragging the text file onto ComboFix, ComboFix launched, but needed to update itself to continue, after which, ComboFix restarted itself and continued it's scan process. I'm sure this is OK, but it wasn't noted in the instructions. I just wanted to make sure it didn't lose whatever info the text file gave it when it restarted. :)

Reports below... thanks!


ComboFix
ComboFix 11-03-12.01 - Administrator 14/03/2011 9:23.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2642 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FW: CA Personal Firewall *Disabled* {38102F93-1B6E-4922-90E1-A35D8DC6DAA3}
.
file zipped: c:\documents and settings\Default User\Start Menu\Programs\Startup\apnuh.exe
file zipped: c:\documents and settings\Default User\Start Menu\Programs\Startup\ocdet.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Eqpy
c:\documents and settings\Administrator\Application Data\Eqpy\qico.exe.shonky
c:\documents and settings\Default User\Start Menu\Programs\Startup\apnuh.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\ocdet.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-13 to 2011-03-13 )))))))))))))))))))))))))))))))
.
.
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-04 03:06 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-04 03:06 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 03:03 . 2011-03-04 03:04 36744 ----a-w- c:\windows\system32\msdnldr.exe
2011-03-04 03:00 . 2011-03-04 03:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-04 03:00 . 2011-03-04 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-01 23:39 . 2011-03-07 04:05 -------- d-----w- c:\program files\UltraVNC
2011-03-01 23:29 . 2011-03-01 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Installer3224
2011-03-01 23:19 . 2011-03-01 23:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Installer3280
2011-03-01 04:56 . 1999-03-11 16:44 3080237 ----a-w- c:\windows\system32\Msowc.dll
2011-03-01 04:24 . 2011-03-01 04:24 -------- d-----w- c:\program files\Cityscope Publications
2011-03-01 04:23 . 1998-11-12 18:25 74000 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLRES.DLL
2011-03-01 04:23 . 1998-11-12 18:25 127248 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLREC.DLL
2011-03-01 04:23 . 1998-11-12 18:25 213264 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLPROV.DLL
2011-03-01 04:23 . 1998-06-30 08:26 53760 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2QDUI.DLL
2011-03-01 04:23 . 1998-06-30 08:26 56832 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2DBUI.DLL
2011-03-01 04:23 . 1998-06-30 08:26 14336 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2DDUI.DLL
2011-03-01 04:23 . 1998-03-13 07:22 20080 ----a-w- c:\windows\system32\WINSSPI.DLL
2011-03-01 04:23 . 1998-08-31 04:05 32768 ----a-w- c:\windows\system32\hlinkprx.dll
2011-03-01 04:23 . 1998-04-03 08:12 68080 ----a-w- c:\windows\system32\DIMM.DLL
2011-03-01 04:22 . 2011-03-01 04:23 -------- d-----w- c:\program files\Snapshot Viewer
2011-03-01 04:22 . 1997-08-18 13:00 31744 ----a-w- c:\windows\system32\hlp95en.dll
2011-03-01 02:03 . 2011-03-01 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\PrimoPDF
2011-02-28 04:48 . 2008-04-14 07:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-28 04:31 . 2011-03-02 03:04 -------- d-----w- c:\program files\PeerBlock
2011-02-28 03:59 . 2011-02-28 03:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\HorizonWimba
2011-02-28 03:56 . 2011-02-28 03:56 -------- d-----w- c:\program files\Wimba
2011-02-28 03:00 . 2011-02-28 03:00 -------- d-----w- c:\windows\Sun
2011-02-27 23:03 . 2008-04-13 18:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-27 23:03 . 2008-04-13 18:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-27 23:03 . 2008-04-13 13:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-27 23:03 . 2008-04-13 13:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-27 22:11 . 2011-03-01 22:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\UltraVNC
2011-02-25 05:55 . 2011-03-01 22:49 -------- d-----w- c:\program files\ultravnc(NewButRemoved)
2011-02-25 05:45 . 2011-02-25 05:49 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-25 05:45 . 2011-02-25 05:49 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-25 05:44 . 2011-02-25 05:45 -------- d-----w- c:\program files\CA
2011-02-25 05:40 . 2011-02-25 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2011-02-25 03:27 . 2011-02-25 03:27 1445888 ----a-w- c:\documents and settings\Administrator\DesktopWinsockxpFix.exe
2011-02-25 03:26 . 2011-02-25 03:26 186368 ----a-w- c:\documents and settings\Administrator\DesktopLSPFix.exe
2011-02-25 03:26 . 2011-02-25 03:26 36864 ----a-w- c:\documents and settings\Administrator\DesktopSafeMSI.exe
2011-02-24 03:58 . 2011-02-24 03:58 73728 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut6_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 73728 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut4_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 143360 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut5_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 143360 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\ARPPRODUCTICON.exe
2011-02-24 03:58 . 2011-02-24 03:58 -------- d-----w- c:\program files\Electric Rain
2011-02-24 03:56 . 2011-02-24 03:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Notepad++
2011-02-24 03:56 . 2011-02-24 03:56 -------- d-----w- c:\program files\Notepad++
2011-02-24 03:54 . 2011-02-24 03:54 -------- d-----w- c:\program files\Serena Software Inc
2011-02-24 03:41 . 2011-02-24 03:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\program files\Common Files\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\program files\Nero
2011-02-24 01:36 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-02-24 01:36 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-02-24 01:36 . 2011-02-24 01:36 -------- d-----w- c:\windows\system32\RsFx
2011-02-24 01:33 . 2011-02-24 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2011-02-24 01:31 . 2011-02-24 01:31 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-02-24 01:31 . 2011-02-24 01:31 -------- d-----w- c:\program files\IIS
2011-02-24 01:30 . 2011-02-24 01:30 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-02-24 01:30 . 2011-02-24 01:39 2377696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-24 01:25 . 2011-02-24 01:25 -------- d-----w- c:\windows\symbols
2011-02-24 01:25 . 2011-02-24 01:28 -------- d-----w- c:\program files\Microsoft F#
2011-02-24 01:25 . 2011-02-24 01:26 -------- d-----w- c:\program files\HTML Help Workshop
2011-02-24 01:25 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-02-24 01:25 . 2011-02-24 01:28 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-02-24 01:25 . 2011-02-24 01:25 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-02-24 00:31 . 2011-02-24 00:31 -------- d-----w- c:\program files\Common Files\Control Panels
2011-02-24 00:16 . 2011-02-24 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-02-24 00:12 . 2011-02-24 00:12 -------- d-----w- c:\program files\MagicISO
2011-02-23 01:22 . 2011-02-23 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2011-02-23 01:22 . 2011-02-23 01:22 -------- d-----w- c:\program files\Bonjour
2011-02-23 01:17 . 2011-02-23 01:17 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-02-23 00:11 . 2011-02-23 00:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Qurb4
2011-02-22 23:53 . 2011-02-22 23:53 -------- d-----w- c:\program files\PowerISO
2011-02-22 23:35 . 2011-02-22 23:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-02-22 23:32 . 2003-08-27 04:35 50152 ----a-w- c:\program files\Windows NT\Accessories\ImageVue\wangimg.exe
2011-02-22 23:32 . 2003-08-27 04:35 50152 ----a-w- c:\program files\Windows NT\Accessories\ImageVue\kodakimg.exe
2011-02-22 23:32 . 2011-02-22 23:32 -------- d-----w- c:\program files\Imaging
2011-02-22 23:32 . 1997-12-17 09:33 304128 ----a-w- c:\windows\IsUninst.exe
2011-02-22 23:30 . 2011-02-25 04:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-02-22 23:30 . 2011-02-22 23:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-02-22 23:30 . 2011-02-28 22:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-02-22 23:30 . 2011-02-22 23:30 -------- d-----w- c:\program files\Google
2011-02-22 23:14 . 2011-02-22 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-02-22 23:13 . 2011-02-22 23:13 -------- d-----w- c:\program files\GetRight
2011-02-22 22:44 . 2011-02-22 22:44 -------- d-----w- c:\program files\Mach5 Mailer 4
2011-02-22 21:43 . 2011-02-22 21:43 -------- d-----w- c:\program files\InstantDemo
2011-02-22 05:41 . 2011-03-08 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
2011-02-22 05:41 . 2011-02-22 05:41 -------- d-----w- c:\program files\FileZilla FTP Client
2011-02-22 01:17 . 2011-02-22 01:17 -------- d-----w- c:\program files\Common Files\Corel
2011-02-22 01:12 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2011-02-22 01:12 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel
2011-02-22 01:08 . 2011-02-22 01:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Axialis
2011-02-22 01:08 . 2011-02-22 01:08 -------- d-----w- c:\program files\My Company Name
2011-02-22 00:37 . 2011-02-22 00:37 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelPHOTOPAINT\9.0\1033\ResourceCache.dll
2011-02-22 00:37 . 2011-02-22 00:37 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelDRAW\9.0\1033\ResourceCache.dll
2011-02-22 00:36 . 2011-02-22 00:36 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-02-22 00:35 . 2011-02-24 01:32 -------- d-----w- c:\program files\Microsoft SDKs
2011-02-22 00:35 . 2011-02-22 00:35 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2011-02-22 00:34 . 2011-02-22 00:34 -------- d-----w- c:\program files\Common Files\Protexis
2011-02-22 00:34 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2011-02-22 00:29 . 2011-02-22 00:29 -------- d-----w- c:\program files\Corel
2011-02-22 00:13 . 2011-02-22 00:13 -------- d-----w- c:\documents and settings\Administrator\log
2011-02-21 05:37 . 2011-02-21 05:55 -------- d-----w- c:\windows\Internet Logs
2011-02-21 05:37 . 2007-01-31 03:45 101904 ----a-w- c:\windows\system32\dneinobj.dll
2011-02-21 05:37 . 2007-01-31 03:45 127376 ----a-w- c:\windows\system32\drivers\dne2000.sys
2011-02-21 05:36 . 2011-02-21 05:36 -------- d-----w- c:\program files\Cisco Systems
2011-02-21 05:23 . 2011-02-21 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Automation
2011-02-21 05:23 . 2011-02-21 05:24 -------- d-----w- c:\program files\AutoMate 5
2011-02-21 05:23 . 2011-02-21 05:23 210000 ----a-w- c:\windows\system32\amsco32.dll
2011-02-21 05:10 . 2011-02-21 05:10 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
2011-02-18 17:00 . 2011-02-18 17:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-02-18 17:00 . 2011-02-18 17:00 -------- d-----w- c:\program files\MSXML 4.0
2011-02-18 11:43 . 2007-12-12 23:13 25 ----a-w- C:\testtask.bat
2011-02-18 08:54 . 2006-10-27 00:12 339968 ----a-w- c:\windows\system32\hpbicoin.dll
2011-02-18 07:45 . 2009-10-12 01:40 63 ----a-w- C:\reminder_timesheet.bat
2011-02-18 07:45 . 2008-10-20 22:21 527 ----a-w- C:\Reset.cmd
2011-02-18 07:01 . 2007-09-24 06:48 269 ----a-w- C:\ftpdownload.bat
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 07:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 07:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-07 05:05 . 2011-02-07 05:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-07 05:05 . 2011-02-07 05:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-02-02 07:58 . 2011-02-07 03:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2011-02-07 03:55 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 07:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 07:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 07:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 07:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 07:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 07:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 07:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-10_06.04.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-13 22:21 . 2011-03-13 22:21 16384 c:\windows\Temp\Perflib_Perfdata_784.dat
+ 2011-03-07 03:47 . 2011-03-13 16:00 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
- 2011-03-07 03:47 . 2011-03-09 16:00 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2011-03-10 21:54 . 2011-03-10 21:54 58672 c:\windows\Installer\{166478EA-A017-43C0-BE42-7560BD5A646B}\ARPPRODUCTICON.exe
- 2011-02-25 05:46 . 2011-02-25 05:46 58672 c:\windows\Installer\{166478EA-A017-43C0-BE42-7560BD5A646B}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"DIMDownloading your update...1285781003180"="c:\program files\Corel\CorelDRAW Graphics Suite X5\PHOTO-PAINT\DIM.exe" [2010-05-21 95592]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2011-02-28 2356088]
"pronto"="c:\program files\Wimba\Pronto\pronto.exe" [2010-04-13 15319688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-09-23 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"AutoMate5"="c:\program files\AutoMate 5\AM5HkWnd.exe" [2005-06-27 2859520]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CUSTOMER HELPDESK.lnk - c:\program files\UltraVNC\vncviewer.exe [2011-3-7 749568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Timesheet Assistant.lnk - c:\software\TimesheetAssistant.exe [2011-2-18 301709]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-23 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 04:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\UmxSbxExw.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
.
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [8/06/2009 10:02 AM 108024]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [23/12/2009 11:29 AM 78840]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [7/03/2011 3:03 PM 712704]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [30/09/2009 4:51 PM 239608]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [17/02/2011 5:09 PM 10688]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/02/2011 10:30 AM 136176]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/08/2009 10:42 AM 887288]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [27/07/2009 3:40 PM 227832]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 6:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [23/07/2009 2:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 23:30]
.
2011-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 23:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open With GetRight Browser - c:\program files\GetRight\GRbrowse.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0flgfuuu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 09:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-2077806209-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,b6,a2,4f,ba,8c,f4,4f,9c,1c,bf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,b6,a2,4f,ba,8c,f4,4f,9c,1c,bf,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\UmxWnp.Dll
c:\windows\system32\msi.dll
.
Completion time: 2011-03-14 09:41:30
ComboFix-quarantined-files.txt 2011-03-13 22:41
ComboFix2.txt 2011-03-10 22:27
ComboFix3.txt 2011-01-31 03:14
.
Pre-Run: 204,064,772,096 bytes free
Post-Run: 204,072,476,672 bytes free
.
- - End Of File - - E4E23A033F9EDDC78FB0967EE033056D
Upload was successful




MalwareBytes
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6046

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/03/2011 9:52:28 AM
mbam-log-2011-03-14 (09-52-28).txt

Scan type: Quick scan
Objects scanned: 158409
Time elapsed: 2 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ESetScan
C:\Chris\miscellaneous\426Mb Hard Drive\jaw\Crap\pornpasshax.zip BAT/Delfiles.N trojan
C:\Chris\miscellaneous\426Mb Hard Drive\WINDOWS\CHRIS\bat2exe\commando.bat BAT/Delfiles.N trojan
C:\Chris\miscellaneous\my home web site\javachat\java_irc_201.jar JV/AntiURL trojan
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\42cc9baf-571d41b7 multiple threats
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\5\307e0385-652f39dd multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\55\54da0c77-4bc02de2 Java/TrojanDownloader.Agent.NCH trojan
C:\SOFTWARE\== GRAPHICS APPS\Adobe InDesign CS2\crack\OS-Adobe_InDesign_CS2_Tryout_to_Full_Activation.zip a variant of Win32/Keygen.AO application
C:\SOFTWARE\== MAPPING\AutoCAD 2009\Autodesk Autocad 2009.rar a variant of Win32/Kryptik.AD trojan
C:\SOFTWARE\== MAPPING\AutoCAD 2009\Autodesk Autocad 2009\Setup.exe a variant of Win32/Kryptik.AD trojan
C:\SOFTWARE\== MISC\ophcrack\ophcrack-win32-installer-2.4.1.exe multiple threats
C:\SOFTWARE\== MISC\Windows Keyfinder\kf151.zip a variant of Win32/PSWTool.RAS.A application
C:\SOFTWARE\== SECURITY+ANTIVIRUS\Keystroke Logger\smart-keystroke-recorder-setup.exe probably a variant of Win32/Agent.GBNYFCL trojan
C:\SOFTWARE\== WEB TOOLS\Flash Decompiler - SoThink\sothink.swf.decompiler.v3.2.build.60616.rar probably a variant of Win32/Spy.Agent.PBXUC trojan
C:\SOFTWARE\== WEB TOOLS\Flash Decompiler - SoThink\SWFDecompiler.exe probably a variant of Win32/Spy.Agent.PBXUC trojan
C:\temp\Chris VirusFixTools\bootdisk.com files\xpkeys.zip Win32/PSWTool.ProductKey.106 application

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:28 PM

Posted 14 March 2011 - 03:05 AM

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Chris\miscellaneous\426Mb Hard Drive\jaw\Crap\pornpasshax.zip 
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\42cc9baf-571d41b7 
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\5\307e0385-652f39dd 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\55\54da0c77-4bc02de2 
C:\SOFTWARE\== GRAPHICS APPS\Adobe InDesign CS2\crack\OS-Adobe_InDesign_CS2_Tryout_to_Full_Activation.zip 
C:\SOFTWARE\== MAPPING\AutoCAD 2009\Autodesk Autocad 2009.rar 
C:\SOFTWARE\== MAPPING\AutoCAD 2009\Autodesk Autocad 2009\Setup.exe 
C:\SOFTWARE\== MISC\ophcrack\ophcrack-win32-installer-2.4.1.exe 
C:\SOFTWARE\== MISC\Windows Keyfinder\kf151.zip 
C:\SOFTWARE\== SECURITY+ANTIVIRUS\Keystroke Logger\smart-keystroke-recorder-setup.exe 
C:\temp\Chris VirusFixTools\bootdisk.com files\xpkeys.zip

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 18 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

#9 Stanbridge

Stanbridge
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:08:28 AM

Posted 14 March 2011 - 07:58 PM

Hi CatByte,

Everything appears to be running smoothly now. I just did a couple of random google searches and the results did NOT redirect to the dodgy sites that they were redirecting to before.

This is bloody great news! I'll await your reply to confirm that it's all clear after checking these final logs.

Thanks very much! Logs below (I also included Attach.txt just in case)


ComboFix
ComboFix 11-03-14.01 - Administrator 15/03/2011 9:54.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2641 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FW: CA Personal Firewall *Disabled* {38102F93-1B6E-4922-90E1-A35D8DC6DAA3}
.
FILE ::
"c:\chris\miscellaneous\426Mb Hard Drive\jaw\Crap\pornpasshax.zip"
"c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\42cc9baf-571d41b7"
"c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\5\307e0385-652f39dd"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\55\54da0c77-4bc02de2"
"c:\software\== GRAPHICS APPS\Adobe InDesign CS2\crack\OS-Adobe_InDesign_CS2_Tryout_to_Full_Activation.zip"
"c:\software\== MAPPING\AutoCAD 2009\Autodesk Autocad 2009.rar"
"c:\software\== MAPPING\AutoCAD 2009\Autodesk Autocad 2009\Setup.exe"
"c:\software\== MISC\ophcrack\ophcrack-win32-installer-2.4.1.exe"
"c:\software\== MISC\Windows Keyfinder\kf151.zip"
"c:\software\== SECURITY+ANTIVIRUS\Keystroke Logger\smart-keystroke-recorder-setup.exe"
"c:\temp\Chris VirusFixTools\bootdisk.com files\xpkeys.zip"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\chris\miscellaneous\426Mb Hard Drive\jaw\Crap\pornpasshax.zip
c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\42cc9baf-571d41b7
c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\5\307e0385-652f39dd
c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\55\54da0c77-4bc02de2
c:\software\== GRAPHICS APPS\Adobe InDesign CS2\crack\OS-Adobe_InDesign_CS2_Tryout_to_Full_Activation.zip
c:\software\== MAPPING\AutoCAD 2009\Autodesk Autocad 2009.rar
c:\software\== MAPPING\AutoCAD 2009\Autodesk Autocad 2009\Setup.exe
c:\software\== MISC\ophcrack\ophcrack-win32-installer-2.4.1.exe
c:\software\== MISC\Windows Keyfinder\kf151.zip
c:\software\== SECURITY+ANTIVIRUS\Keystroke Logger\smart-keystroke-recorder-setup.exe
c:\temp\Chris VirusFixTools\bootdisk.com files\xpkeys.zip
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-13 23:17 . 2011-03-13 23:17 -------- d-----w- c:\program files\ESET
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-04 03:06 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-04 03:06 . 2011-03-04 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-04 03:06 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 03:03 . 2011-03-04 03:04 36744 ----a-w- c:\windows\system32\msdnldr.exe
2011-03-04 03:00 . 2011-03-04 03:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-04 03:00 . 2011-03-04 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-01 23:39 . 2011-03-14 06:08 -------- d-----w- c:\program files\UltraVNC
2011-03-01 23:29 . 2011-03-01 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Installer3224
2011-03-01 23:19 . 2011-03-01 23:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Installer3280
2011-03-01 04:56 . 1999-03-11 16:44 3080237 ----a-w- c:\windows\system32\Msowc.dll
2011-03-01 04:24 . 2011-03-01 04:24 -------- d-----w- c:\program files\Cityscope Publications
2011-03-01 04:23 . 1998-11-12 18:25 74000 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLRES.DLL
2011-03-01 04:23 . 1998-11-12 18:25 127248 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLREC.DLL
2011-03-01 04:23 . 1998-11-12 18:25 213264 ----a-w- c:\program files\Common Files\Microsoft Shared\Database Replication\REPLPROV.DLL
2011-03-01 04:23 . 1998-06-30 08:26 53760 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2QDUI.DLL
2011-03-01 04:23 . 1998-06-30 08:26 56832 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2DBUI.DLL
2011-03-01 04:23 . 1998-06-30 08:26 14336 ----a-w- c:\program files\Common Files\Microsoft Shared\MSDesigners98\Resources\1033\MDT2DDUI.DLL
2011-03-01 04:23 . 1998-03-13 07:22 20080 ----a-w- c:\windows\system32\WINSSPI.DLL
2011-03-01 04:23 . 1998-08-31 04:05 32768 ----a-w- c:\windows\system32\hlinkprx.dll
2011-03-01 04:23 . 1998-04-03 08:12 68080 ----a-w- c:\windows\system32\DIMM.DLL
2011-03-01 04:22 . 2011-03-01 04:23 -------- d-----w- c:\program files\Snapshot Viewer
2011-03-01 04:22 . 1997-08-18 13:00 31744 ----a-w- c:\windows\system32\hlp95en.dll
2011-03-01 02:03 . 2011-03-01 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\PrimoPDF
2011-02-28 04:48 . 2008-04-14 07:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-28 04:31 . 2011-03-02 03:04 -------- d-----w- c:\program files\PeerBlock
2011-02-28 03:59 . 2011-02-28 03:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\HorizonWimba
2011-02-28 03:56 . 2011-02-28 03:56 -------- d-----w- c:\program files\Wimba
2011-02-28 03:00 . 2011-02-28 03:00 -------- d-----w- c:\windows\Sun
2011-02-27 23:03 . 2008-04-13 18:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-27 23:03 . 2008-04-13 18:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-27 23:03 . 2008-04-13 13:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-27 23:03 . 2008-04-13 13:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-27 22:11 . 2011-03-01 22:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\UltraVNC
2011-02-25 05:55 . 2011-03-01 22:49 -------- d-----w- c:\program files\ultravnc(NewButRemoved)
2011-02-25 05:45 . 2011-02-25 05:49 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-25 05:45 . 2011-02-25 05:49 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-25 05:44 . 2011-02-25 05:45 -------- d-----w- c:\program files\CA
2011-02-25 05:40 . 2011-02-25 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2011-02-25 03:27 . 2011-02-25 03:27 1445888 ----a-w- c:\documents and settings\Administrator\DesktopWinsockxpFix.exe
2011-02-25 03:26 . 2011-02-25 03:26 186368 ----a-w- c:\documents and settings\Administrator\DesktopLSPFix.exe
2011-02-25 03:26 . 2011-02-25 03:26 36864 ----a-w- c:\documents and settings\Administrator\DesktopSafeMSI.exe
2011-02-24 03:58 . 2011-02-24 03:58 73728 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut6_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 73728 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut4_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 143360 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\NewShortcut5_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58 . 2011-02-24 03:58 143360 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A}\ARPPRODUCTICON.exe
2011-02-24 03:58 . 2011-02-24 03:58 -------- d-----w- c:\program files\Electric Rain
2011-02-24 03:56 . 2011-02-24 03:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Notepad++
2011-02-24 03:56 . 2011-02-24 03:56 -------- d-----w- c:\program files\Notepad++
2011-02-24 03:54 . 2011-02-24 03:54 -------- d-----w- c:\program files\Serena Software Inc
2011-02-24 03:41 . 2011-02-24 03:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\program files\Common Files\Ahead
2011-02-24 03:35 . 2011-02-24 03:35 -------- d-----w- c:\program files\Nero
2011-02-24 01:36 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-02-24 01:36 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-02-24 01:36 . 2011-02-24 01:36 -------- d-----w- c:\windows\system32\RsFx
2011-02-24 01:33 . 2011-02-24 01:36 -------- d-----w- c:\program files\Microsoft SQL Server
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-02-24 01:33 . 2011-02-24 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2011-02-24 01:31 . 2011-02-24 01:31 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-02-24 01:31 . 2011-02-24 01:31 -------- d-----w- c:\program files\IIS
2011-02-24 01:30 . 2011-02-24 01:30 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-02-24 01:30 . 2011-02-24 01:39 2377696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-24 01:25 . 2011-02-24 01:25 -------- d-----w- c:\windows\symbols
2011-02-24 01:25 . 2011-02-24 01:28 -------- d-----w- c:\program files\Microsoft F#
2011-02-24 01:25 . 2011-02-24 01:26 -------- d-----w- c:\program files\HTML Help Workshop
2011-02-24 01:25 . 2011-02-24 01:33 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-02-24 01:25 . 2011-02-24 01:28 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-02-24 01:25 . 2011-02-24 01:25 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-02-24 00:31 . 2011-02-24 00:31 -------- d-----w- c:\program files\Common Files\Control Panels
2011-02-24 00:16 . 2011-02-24 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-02-24 00:12 . 2011-02-24 00:12 -------- d-----w- c:\program files\MagicISO
2011-02-23 01:22 . 2011-02-23 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2011-02-23 01:22 . 2011-02-23 01:22 -------- d-----w- c:\program files\Bonjour
2011-02-23 01:17 . 2011-02-23 01:17 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-02-23 00:11 . 2011-02-23 00:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Qurb4
2011-02-22 23:53 . 2011-02-22 23:53 -------- d-----w- c:\program files\PowerISO
2011-02-22 23:35 . 2011-02-22 23:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-02-22 23:32 . 2003-08-27 04:35 50152 ----a-w- c:\program files\Windows NT\Accessories\ImageVue\wangimg.exe
2011-02-22 23:32 . 2003-08-27 04:35 50152 ----a-w- c:\program files\Windows NT\Accessories\ImageVue\kodakimg.exe
2011-02-22 23:32 . 2011-02-22 23:32 -------- d-----w- c:\program files\Imaging
2011-02-22 23:32 . 1997-12-17 09:33 304128 ----a-w- c:\windows\IsUninst.exe
2011-02-22 23:30 . 2011-02-25 04:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-02-22 23:30 . 2011-02-22 23:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-02-22 23:30 . 2011-02-28 22:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-02-22 23:30 . 2011-02-22 23:30 -------- d-----w- c:\program files\Google
2011-02-22 23:14 . 2011-02-22 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-02-22 23:13 . 2011-02-22 23:13 -------- d-----w- c:\program files\GetRight
2011-02-22 22:44 . 2011-02-22 22:44 -------- d-----w- c:\program files\Mach5 Mailer 4
2011-02-22 21:43 . 2011-02-22 21:43 -------- d-----w- c:\program files\InstantDemo
2011-02-22 05:41 . 2011-03-08 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
2011-02-22 05:41 . 2011-02-22 05:41 -------- d-----w- c:\program files\FileZilla FTP Client
2011-02-22 01:17 . 2011-02-22 01:17 -------- d-----w- c:\program files\Common Files\Corel
2011-02-22 01:12 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2011-02-22 01:12 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel
2011-02-22 01:08 . 2011-02-22 01:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Axialis
2011-02-22 01:08 . 2011-02-22 01:08 -------- d-----w- c:\program files\My Company Name
2011-02-22 00:37 . 2011-02-22 00:37 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelPHOTOPAINT\9.0\1033\ResourceCache.dll
2011-02-22 00:37 . 2011-02-22 00:37 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelDRAW\9.0\1033\ResourceCache.dll
2011-02-22 00:36 . 2011-02-22 00:36 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-02-22 00:35 . 2011-02-24 01:32 -------- d-----w- c:\program files\Microsoft SDKs
2011-02-22 00:35 . 2011-02-22 00:35 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2011-02-22 00:34 . 2011-02-22 00:34 -------- d-----w- c:\program files\Common Files\Protexis
2011-02-22 00:34 . 2011-02-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2011-02-22 00:29 . 2011-02-22 00:29 -------- d-----w- c:\program files\Corel
2011-02-22 00:13 . 2011-02-22 00:13 -------- d-----w- c:\documents and settings\Administrator\log
2011-02-21 05:37 . 2011-02-21 05:55 -------- d-----w- c:\windows\Internet Logs
2011-02-21 05:37 . 2007-01-31 03:45 101904 ----a-w- c:\windows\system32\dneinobj.dll
2011-02-21 05:37 . 2007-01-31 03:45 127376 ----a-w- c:\windows\system32\drivers\dne2000.sys
2011-02-21 05:36 . 2011-02-21 05:36 -------- d-----w- c:\program files\Cisco Systems
2011-02-21 05:23 . 2011-02-21 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Automation
2011-02-21 05:23 . 2011-02-21 05:24 -------- d-----w- c:\program files\AutoMate 5
2011-02-21 05:23 . 2011-02-21 05:23 210000 ----a-w- c:\windows\system32\amsco32.dll
2011-02-21 05:10 . 2011-02-21 05:10 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
2011-02-18 17:00 . 2011-02-18 17:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-02-18 17:00 . 2011-02-18 17:00 -------- d-----w- c:\program files\MSXML 4.0
2011-02-18 11:43 . 2007-12-12 23:13 25 ----a-w- C:\testtask.bat
2011-02-18 08:54 . 2006-10-27 00:12 339968 ----a-w- c:\windows\system32\hpbicoin.dll
2011-02-18 07:45 . 2009-10-12 01:40 63 ----a-w- C:\reminder_timesheet.bat
2011-02-18 07:45 . 2008-10-20 22:21 527 ----a-w- C:\Reset.cmd
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 07:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 07:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-07 05:05 . 2011-02-07 05:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-07 05:05 . 2011-02-07 05:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-02-02 07:58 . 2011-02-07 03:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2011-02-07 03:55 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 07:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 07:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 07:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 07:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 07:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 07:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 07:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-10_06.04.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-14 22:53 . 2011-03-14 22:53 16384 c:\windows\Temp\Perflib_Perfdata_790.dat
+ 2011-03-07 03:47 . 2011-03-14 16:00 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
- 2011-03-07 03:47 . 2011-03-09 16:00 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2011-03-10 21:54 . 2011-03-10 21:54 58672 c:\windows\Installer\{166478EA-A017-43C0-BE42-7560BD5A646B}\ARPPRODUCTICON.exe
- 2011-02-25 05:46 . 2011-02-25 05:46 58672 c:\windows\Installer\{166478EA-A017-43C0-BE42-7560BD5A646B}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"DIMDownloading your update...1285781003180"="c:\program files\Corel\CorelDRAW Graphics Suite X5\PHOTO-PAINT\DIM.exe" [2010-05-21 95592]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2011-02-28 2356088]
"pronto"="c:\program files\Wimba\Pronto\pronto.exe" [2010-04-13 15319688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-09-23 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"AutoMate5"="c:\program files\AutoMate 5\AM5HkWnd.exe" [2005-06-27 2859520]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CUSTOMER HELPDESK.lnk - c:\program files\UltraVNC\vncviewer.exe [2011-3-7 749568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Timesheet Assistant.lnk - c:\software\TimesheetAssistant.exe [2011-2-18 301709]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-23 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 04:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\UmxSbxExw.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
.
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [8/06/2009 10:02 AM 108024]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [23/12/2009 11:29 AM 78840]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [7/03/2011 3:03 PM 712704]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [30/09/2009 4:51 PM 239608]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [17/02/2011 5:09 PM 10688]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/02/2011 10:30 AM 136176]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/08/2009 10:42 AM 887288]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [27/07/2009 3:40 PM 227832]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 6:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [23/07/2009 2:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 23:30]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-22 23:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open With GetRight Browser - c:\program files\GetRight\GRbrowse.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0flgfuuu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 10:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-2077806209-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,b6,a2,4f,ba,8c,f4,4f,9c,1c,bf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,b6,a2,4f,ba,8c,f4,4f,9c,1c,bf,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\UmxWnp.Dll
c:\windows\system32\msi.dll
.
Completion time: 2011-03-15 10:12:28
ComboFix-quarantined-files.txt 2011-03-14 23:12
ComboFix2.txt 2011-03-13 22:42
ComboFix3.txt 2011-03-10 22:27
ComboFix4.txt 2011-01-31 03:14
.
Pre-Run: 203,880,546,304 bytes free
Post-Run: 203,856,777,216 bytes free
.
- - End Of File - - 4136432797CF5C5A85801B242BFB7F49




DDS
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 11:40:48.00 on Tue 15/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2549 [GMT 11:00]
.
FW: CA Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AutoMate 5\AutoMate5Svc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\temp\AV\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DIMDownloading your update...1285781003180] "c:\program files\corel\coreldraw graphics suite x5\photo-paint\dim.exe" "c:\documents and settings\all users\application data\corel\downloads\540215253_807001\1285781003180\dim_params.xml" -launch=3 -uibase="c:\documents and settings\administrator\application data\corel\messages\540215253_807001\en\messagecache1\workflow"
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [pronto] "c:\program files\wimba\pronto\pronto.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AutoMate5] c:\program files\automate 5\AM5HkWnd.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\custom~1.lnk - c:\program files\ultravnc\vncviewer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timesh~1.lnk - c:\software\TimesheetAssistant.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open With GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://wsus.bne-staff.rpdata.net.au:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://wsus.bne-staff.rpdata.net.au:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1297055890000
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1297055882421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: c:\windows\system32\UmxSbxExw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0flgfuuu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0flgfuuu.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-6-8 108024]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-12-23 78840]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2011-3-7 712704]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-9-30 239608]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2011-2-17 10688]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-23 136176]
S2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
S2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2009-7-27 227832]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-03-15 00:35:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-15 00:35:47 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-13 23:17:19 -------- d-----w- c:\program files\ESET
2011-03-10 04:57:02 -------- d-sha-r- C:\cmdcons
2011-03-10 04:53:41 98816 ----a-w- c:\windows\sed.exe
2011-03-10 04:53:41 89088 ----a-w- c:\windows\MBR.exe
2011-03-10 04:53:41 256512 ----a-w- c:\windows\PEV.exe
2011-03-10 04:53:41 161792 ----a-w- c:\windows\SWREG.exe
2011-03-07 04:09:01 625664 ----a-w- c:\temp\av\dds.scr
2011-03-04 03:06:23 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-03-04 03:06:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 03:06:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-04 03:06:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 03:06:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-04 03:03:33 36744 ----a-w- c:\windows\system32\msdnldr.exe
2011-03-02 00:03:57 -------- d-----w- c:\windows\system32\appmgmt
2011-03-01 23:39:01 -------- d-----w- c:\program files\UltraVNC
2011-03-01 23:29:26 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Installer3224
2011-03-01 23:19:20 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Installer3280
2011-03-01 04:56:35 3080237 ----a-w- c:\windows\system32\Msowc.dll
2011-03-01 04:24:19 -------- d-----w- c:\program files\Cityscope Publications
2011-03-01 04:23:32 74000 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLRES.DLL
2011-03-01 04:23:32 213264 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLPROV.DLL
2011-03-01 04:23:32 127248 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLREC.DLL
2011-03-01 04:23:16 56832 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2DBUI.DLL
2011-03-01 04:23:16 53760 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2QDUI.DLL
2011-03-01 04:23:16 14336 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2DDUI.DLL
2011-03-01 04:23:15 20080 ----a-w- c:\windows\system32\WINSSPI.DLL
2011-03-01 04:23:14 32768 ----a-w- c:\windows\system32\hlinkprx.dll
2011-03-01 04:23:12 68080 ----a-w- c:\windows\system32\DIMM.DLL
2011-03-01 04:22:55 31744 ----a-w- c:\windows\system32\hlp95en.dll
2011-03-01 04:22:55 -------- d-----w- c:\program files\Snapshot Viewer
2011-03-01 02:03:50 -------- d-----w- c:\docume~1\admini~1\applic~1\PrimoPDF
2011-02-28 04:31:07 -------- d-----w- c:\program files\PeerBlock
2011-02-28 03:59:10 -------- d-----w- c:\docume~1\admini~1\applic~1\HorizonWimba
2011-02-28 03:56:22 -------- d-----w- c:\program files\Wimba
2011-02-27 23:03:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-27 23:03:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-27 23:03:12 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-27 23:03:12 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-27 22:11:58 -------- d-----w- c:\docume~1\admini~1\applic~1\UltraVNC
2011-02-25 05:55:11 -------- d-----w- c:\program files\ultravnc(NewButRemoved)
2011-02-25 05:45:47 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-25 05:45:47 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-25 05:44:36 -------- d-----w- c:\program files\CA
2011-02-25 05:40:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA
2011-02-25 04:28:20 55800 ----a-w- c:\temp\ca stuff\amrt\policystorage\ProductAppSign.exe
2011-02-25 04:28:20 453112 ----a-w- c:\temp\ca stuff\UmxAmrtSettings.dll
2011-02-25 04:28:20 135248 ----a-w- c:\temp\ca stuff\KmxAMRT.sys
2011-02-25 03:27:02 1445888 ----a-w- c:\documents and settings\administrator\DesktopWinsockxpFix.exe
2011-02-25 03:26:40 186368 ----a-w- c:\documents and settings\administrator\DesktopLSPFix.exe
2011-02-25 03:26:35 36864 ----a-w- c:\documents and settings\administrator\DesktopSafeMSI.exe
2011-02-24 03:58:26 73728 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut6_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 73728 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut4_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 143360 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut5_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 143360 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\ARPPRODUCTICON.exe
2011-02-24 03:58:20 -------- d-----w- c:\program files\Electric Rain
2011-02-24 03:54:25 -------- d-----w- c:\program files\Serena Software Inc
2011-02-24 03:41:07 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Ahead
2011-02-24 03:35:04 -------- d-----w- c:\program files\Nero
2011-02-24 01:36:48 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-02-24 01:36:43 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-02-24 01:36:15 -------- d-----w- c:\windows\system32\RsFx
2011-02-24 01:33:45 -------- d-----w- c:\program files\Microsoft SQL Server
2011-02-24 01:33:34 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-02-24 01:33:34 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-02-24 01:33:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2011-02-24 01:31:19 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-02-24 01:31:17 -------- d-----w- c:\program files\IIS
2011-02-24 01:30:40 18368 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vsa\9.0\1033\ResourceCache.dll
2011-02-24 01:30:38 2377696 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\visualstudio\10.0\1033\ResourceCache.dll
2011-02-24 01:25:44 -------- d-----w- c:\program files\Microsoft F#
2011-02-24 01:25:44 -------- d-----w- c:\program files\HTML Help Workshop
2011-02-24 01:25:43 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-02-24 01:25:43 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-02-24 01:25:43 -------- d-----w- c:\program files\common files\Merge Modules
2011-02-24 00:31:19 -------- d-----w- c:\program files\common files\Control Panels
2011-02-24 00:12:19 -------- d-----w- c:\program files\MagicISO
2011-02-23 22:58:17 -------- d-----w- c:\windows\pss
2011-02-23 01:22:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\ALM
2011-02-23 01:22:14 -------- d-----w- c:\program files\Bonjour
2011-02-23 01:17:35 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-02-23 00:11:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Qurb4
2011-02-22 23:53:49 -------- d-----w- c:\program files\PowerISO
2011-02-22 23:32:50 50152 ----a-w- c:\program files\windows nt\accessories\imagevue\wangimg.exe
2011-02-22 23:32:50 50152 ----a-w- c:\program files\windows nt\accessories\imagevue\kodakimg.exe
2011-02-22 23:32:48 -------- d-----w- c:\program files\Imaging
2011-02-22 23:32:34 304128 ----a-w- c:\windows\IsUninst.exe
2011-02-22 23:30:13 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Temp
2011-02-22 23:30:09 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Google
2011-02-22 23:13:33 -------- d-----w- c:\program files\GetRight
2011-02-22 22:44:32 -------- d-----w- c:\program files\Mach5 Mailer 4
2011-02-22 21:43:32 -------- d-----w- c:\program files\InstantDemo
2011-02-22 01:17:49 -------- d-----w- c:\program files\common files\Corel
2011-02-22 01:17:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\CorelDRAW Graphics Suite X5
2011-02-22 01:12:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Protexis
2011-02-22 01:08:47 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Axialis
2011-02-22 01:08:44 -------- d-----w- c:\program files\My Company Name
2011-02-22 00:37:16 348256 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vstahost\corelphotopaint\9.0\1033\ResourceCache.dll
2011-02-22 00:37:02 348256 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vstahost\coreldraw\9.0\1033\ResourceCache.dll
2011-02-22 00:36:19 416 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\msdn\9.0\1033\ResourceCache.dll
2011-02-22 00:34:30 -------- d-----w- c:\program files\common files\Protexis
2011-02-22 00:34:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Corel
2011-02-22 00:29:56 -------- d-----w- c:\program files\Corel
2011-02-22 00:13:03 -------- d-----w- c:\documents and settings\administrator\log
2011-02-21 05:37:23 -------- d-----w- c:\windows\Internet Logs
2011-02-21 05:37:00 127376 ----a-w- c:\windows\system32\drivers\dne2000.sys
2011-02-21 05:37:00 101904 ----a-w- c:\windows\system32\dneinobj.dll
2011-02-21 05:36:51 -------- d-----w- c:\program files\Cisco Systems
2011-02-21 05:23:58 -------- d-----w- c:\program files\AutoMate 5
2011-02-21 05:23:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Network Automation
2011-02-21 05:23:51 210000 ----a-w- c:\windows\system32\amsco32.dll
2011-02-21 05:10:10 -------- d-----w- c:\documents and settings\administrator\WINDOWS
2011-02-18 17:00:49 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-02-18 17:00:30 -------- d-----w- c:\program files\MSXML 4.0
2011-02-18 11:43:52 25 ----a-w- C:\testtask.bat
2011-02-18 11:39:57 112616 ----a-w- c:\temp\ra1004.exe
2011-02-18 11:39:55 538624 ----a-w- c:\temp\pim4dearbhla\omnisres.dll
2011-02-18 11:39:52 2595328 ----a-w- c:\temp\pim4dearbhla\OMNIS7.exe
2011-02-18 11:39:52 216576 ----a-w- c:\temp\pim4dearbhla\OMNI2UI.DLL
2011-02-18 11:39:51 953856 ----a-w- c:\temp\pim4dearbhla\DGDSC32.DLL
2011-02-18 11:39:51 20308 ----a-w- c:\temp\pim4dearbhla\O7TK16.DLL
2011-02-18 11:39:51 15872 ----a-w- c:\temp\pim4dearbhla\O7TK32.DLL
2011-02-18 11:39:24 94352 ----a-w- c:\temp\oldtemp2\whitepages annoying files\MHRUN400.DLL
2011-02-18 11:39:24 45108 ----a-w- c:\temp\oldtemp2\whitepages annoying files\WPPD.DLL
2011-02-18 11:39:24 220832 ----a-w- c:\temp\oldtemp2\whitepages annoying files\WPCDAZ.DLL
2011-02-18 11:38:31 112802954 ----a-w- c:\temp\oldtemp2\setupPD.exe
2011-02-18 11:38:17 18389504 ----a-w- c:\temp\oldtemp2\pm\PM_72.exe
2011-02-18 11:26:38 149222 ----a-w- c:\temp\oldtemp2\oldtemp\testingEXEfileLauncher.exe
2011-02-18 11:26:34 7083364 ----a-w- c:\temp\oldtemp2\oldtemp\signwizard\sw51demo.exe
2011-02-18 11:26:33 1849677 ----a-w- c:\temp\oldtemp2\oldtemp\setup patch\setup_patch.exe
2011-02-18 11:26:33 149504 ----a-w- c:\temp\oldtemp2\oldtemp\setup patch\UNWISE.EXE
2011-02-18 11:26:02 20795904 ----a-w- c:\temp\oldtemp2\oldtemp\OnlineStorage.exe
2011-02-18 11:26:00 3026989 ----a-w- c:\temp\oldtemp2\oldtemp\Msowc.dll
2011-02-18 11:25:49 16332072 ----a-w- c:\temp\oldtemp2\oldtemp\msnblock\Install_Messenger_nous.exe
2011-02-18 11:25:41 20752672 ----a-w- c:\temp\oldtemp2\oldtemp\msnblock\automate5540-full.exe
2011-02-18 11:25:23 12754672 ----a-w- c:\temp\oldtemp2\oldtemp\MP10Setup.exe
2011-02-18 11:23:51 5538680 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\macdrive_6.1.5_enu_qtd_setup.exe
2011-02-18 11:23:51 13824 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\dmg2iso.exe
2011-02-18 11:23:50 1511320 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\daemon408-x86.exe
2011-02-18 11:23:23 7168 ----a-w- c:\temp\oldtemp2\oldtemp\COLLauncherQBE.exe
2011-02-18 11:23:15 318558 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\SetupPDF6.exe
2011-02-18 11:23:15 1831840 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\snpvw90.exe
2011-02-18 11:23:12 1380352 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\CSCOMMON.exe
2011-02-18 11:23:11 1274886 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\Client500.exe
2011-02-18 11:23:11 1015808 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\Client495.exe
2011-02-18 11:22:14 50720515 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\setup_upd.exe
2011-02-18 11:21:43 81175064 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\Setup.exe
2011-02-18 11:21:39 1049705 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\DOSBox0[1][1].63-win32-installer.exe
2011-02-18 11:21:19 29058885 ----a-w- c:\temp\oldtemp2\oldtemp\AKsetup_upd.exe
2011-02-18 11:20:51 40693248 ----a-w- c:\temp\oldtemp2\old-sy-updates\SY_95.exe
2011-02-18 11:20:33 40145920 ----a-w- c:\temp\oldtemp2\old-sy-updates\SY_94.exe
2011-02-18 11:19:14 50512131 ----a-w- c:\temp\oldtemp2\MLQIC-setup_upd.exe
2011-02-18 11:19:04 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\SETUP.EXE
2011-02-18 11:19:04 352256 ----a-w- c:\temp\oldtemp2\imagingsoftware\Install.exe
2011-02-18 11:18:59 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\_ISDEL.EXE
2011-02-18 11:18:59 803680 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\axdist.exe
2011-02-18 11:18:59 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\SETUP.EXE
2011-02-18 11:18:59 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\_SETUP.DLL
2011-02-18 11:18:52 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\_ISDEL.EXE
2011-02-18 11:18:52 803680 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\axdist.exe
2011-02-18 11:18:52 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\_SETUP.DLL
2011-02-18 11:18:51 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\_ISDEL.EXE
2011-02-18 11:18:51 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\SETUP.EXE
2011-02-18 11:18:51 151552 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\instsrvr.dll
2011-02-18 11:18:51 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\_SETUP.DLL
2011-02-18 11:17:41 33161216 ----a-w- c:\temp\oldtemp2\eiStreamImaging28.exe
2011-02-18 11:17:20 1897408 ----a-w- c:\temp\oldtemp2\backups\nvidia riva tnt2 model 64 model 64 pro (microsoft corporation)\nv4_mini.sys
2011-02-18 11:17:18 8811 ----a-w- c:\temp\oldtemp2\backups\conexant setup api\SetupSys.sys
2011-02-18 11:17:18 4274816 ----a-w- c:\temp\oldtemp2\backups\nvidia riva tnt2 model 64 model 64 pro (microsoft corporation)\nv4_disp.dll
2011-02-18 11:15:08 149504 ----a-w- c:\temp\melbcityrecd2k\UNWISE.EXE
2011-02-18 11:04:26 563200 ----a-w- c:\temp\melbcityrecd2k\Ads.exe
2011-02-18 11:04:18 153104 ----a-w- c:\temp\ext18866\install.exe
2011-02-18 11:04:18 1065480 ----a-w- c:\temp\ext18866\install.res.dll
2011-02-18 10:51:37 121206136 ----a-w- c:\temp\chris virusfixtools\ca - anti-virus plus (rp data account)\cd files\en\SETUP.EXE
2011-02-18 10:51:36 874292 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\xpboot.exe
2011-02-18 10:51:36 700781 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\task40.exe
2011-02-18 10:51:33 197233 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\rest2514.exe
2011-02-18 10:51:32 553687 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\jv16regc.exe
2011-02-18 10:51:31 1420962 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\jv16ptv1.exe
2011-02-18 10:51:28 477308 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\doscdrom.exe
2011-02-18 10:51:28 1290938 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\drdos703.exe
2011-02-18 10:51:17 27386280 ----a-w- c:\temp\chris virusfixtools\acrobat reader\AdbeRdr920_en_US.exe
2011-02-18 10:50:20 5760288 ----a-w- c:\temp\ar405eng.exe
2011-02-18 08:54:34 339968 ----a-w- c:\windows\system32\hpbicoin.dll
2011-02-18 07:45:30 63 ----a-w- C:\reminder_timesheet.bat
2011-02-18 07:45:30 527 ----a-w- C:\Reset.cmd
2011-02-18 07:01:57 269 ----a-w- C:\ftpdownload.bat
2011-02-18 07:01:57 266 ----a-w- C:\ftpupload.bat
2011-02-18 06:50:40 72 ----a-w- C:\connectme3.bat
2011-02-18 06:50:40 67 ----a-w- C:\connectme2.bat
2011-02-18 06:50:40 266 ----a-w- C:\Copy of ftpupload.bat
2011-02-18 06:50:40 0 ----a-w- C:\connectme.bat
2011-02-17 15:24:48 358 ----a-w- C:\AcrE02B.tmp
2011-02-17 15:24:48 358 ----a-w- C:\Acr334C.tmp
2011-02-17 11:15:54 -------- d-----w- C:\NICKY
2011-02-17 11:14:59 -------- d-----w- C:\== RPDATA ==
2011-02-17 11:14:36 -------- d-----w- C:\== CPM ==
2011-02-17 11:14:22 -------- d-----w- C:\== Cityscope ==
2011-02-17 06:09:23 20672 ----a-w- c:\windows\system32\mv2.dll
2011-02-17 06:09:23 10688 ----a-w- c:\windows\system32\drivers\mv2.sys
2011-02-17 05:40:15 1341176 ----a-w- c:\temp\2010\issdm_ca_en.exe
2011-02-17 05:40:14 144648 ----a-w- c:\temp\2010\removal tool\SupportBridge.exe
2011-02-17 05:30:52 -------- d-----w- c:\windows\system32\winsflte.dl1
2011-02-17 05:30:52 -------- d-----w- c:\windows\system32\winsflt.dl1
2011-02-17 05:29:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA-SupportBridge
2011-02-17 04:18:31 -------- d-----w- c:\program files\FreeFileSync
2011-02-15 00:52:28 -------- d-----w- c:\windows\system32\winrm
2011-02-15 00:52:24 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-15 00:48:25 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\ApplicationHistory
2011-02-15 00:37:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-15 00:37:56 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-02-15 00:35:51 -------- d-----w- C:\temp
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 08:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 11:41:22.51 ===============

Attached Files


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:28 PM

Posted 14 March 2011 - 09:41 PM

Hi

Just some housekeeping to do now,

Please do the following:

You can delete the DDS and GMER logs and programs from your desktop.


NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     Then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

#11 Stanbridge

Stanbridge
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:08:28 AM

Posted 15 March 2011 - 10:49 PM

Hi CatByte!

THANKYOU SOOOOOOO MUCH FOR ALL OF YOUR HELP!!!

I have completed those final steps and taken measures to improve my security (some were already taken).

My system is now completely clean, running smoothly and malware free!!!

You're a legend!

When I get at least 20 posts I think I might even start the training myself!

You may now consider this thread resolved. Thanks again! Very much! :)


Cheers,

Chris

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:28 PM

Posted 15 March 2011 - 11:13 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:28 PM

Posted 15 March 2011 - 11:14 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·