Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with google redirects and malware protection


  • This topic is locked This topic is locked
18 replies to this topic

#1 dawnriver

dawnriver

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 01 June 2011 - 03:18 PM

My computer was infected with malware protection malware bundled with google redirects. I followed the removal guide and was able to remove malware protection using Malwarebytes in safe mode with networking. However I couldn't remove google redirecting malware. TDSSKiller.exe, which I changed the name, won't run when I double click it. One day later, the malware protection came back again.

Thank you very much!


.
DDS (Ver_2011-06-01.06) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by AUS17 at 12:31:56 on 2011-06-01
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2046.1336 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160421393734
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{FCA9C56F-10C1-4E22-8BD7-8BF090E05596} : DhcpNameServer = 192.168.1.1 192.168.1.1
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\aus17\application data\mozilla\firefox\profiles\ri0rdfah.default user\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\aus17\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - Ext: UnMHT: {f759ca51-3a91-4dd1-ae78-9db5eee9ebf0} - %profile%\extensions\{f759ca51-3a91-4dd1-ae78-9db5eee9ebf0}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - %profile%\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
FF - Ext: LiveClick: {d166ee2a-36bb-4f33-aff7-e85f912df509} - %profile%\extensions\{d166ee2a-36bb-4f33-aff7-e85f912df509}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2010-12-15 127744]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-6-25 229592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110531.002\naveng.sys [2011-5-31 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110531.002\navex15.sys [2011-5-31 1542392]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
S1 EfiMon;EfiSystemMon;c:\windows\system32\drivers\efimon.sys --> c:\windows\system32\drivers\Efimon.sys [?]
S1 SafeBoxKrnl;SafeBoxKrnl;\??\c:\windows\system32\drivers\safeboxkrnl.sys --> c:\windows\system32\drivers\safeboxkrnl.sys [?]
S3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-12-15 36224]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-1 39984]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2006-11-24 196409]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-10 280344]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-12-15 134912]
.
=============== Created Last 30 ================
.
2011-06-01 13:40:26 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-01 13:40:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-01 00:17:12 -------- d--h--w- c:\windows\PIF
2011-05-31 01:40:02 13824 ----a-w- c:\windows\system32\LAYOUT.DLL
2011-05-30 16:57:36 -------- d-----w- c:\documents and settings\aus17\local settings\application data\Threat Expert
2011-05-30 16:43:01 -------- d-----w- c:\program files\PC Tools Security
2011-05-30 16:40:39 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-05-30 11:21:11 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-05-30 00:37:05 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 00:37:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-30 00:35:53 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-05-28 13:14:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-04-15 18:47:16 47616 ----a-w- c:\windows\system32\wuwuninst.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
.
============= FINISH: 12:33:00.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:04 PM

Posted 05 June 2011 - 09:35 AM

Hello dawnriver and welcome to BC. :)

Sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 dawnriver

dawnriver
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 05 June 2011 - 06:23 PM

Thank you for offering help. Yes, my computer still has the problem.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:04 PM

Posted 06 June 2011 - 08:13 AM

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 dawnriver

dawnriver
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 06 June 2011 - 10:20 AM

Hello Sempai,

Thank you very much for your generous help! I ran combofix.exe as you requested. The program freezed for about 10 minutes when it showed "output folder: c:/32788R22FWJFW". So I tried to stop the program by pressing ctrl+alt+del. Then I found there were two IE processes in task manager, although I closed IE before ran combofix. Once I stoped them, combofix proceeded normally and found and delete a rootkit in volsnap.sys. Now the redirecting virus seems to be gone in IE, FF, and Chrome.

Here is the combofix log report. It is strange that part of it was written in Chineses so I have to translate them into English. Hopefully this won't cause any misunderstanding. Thanks again!




ComboFix 11-06-05.06 - AUS17 6/2011 Mon 10:32:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2046.1584 [GMT -4:00]
Running from: f:\documents and settings\AUS17\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\360Downloads
c:\documents and settings\AUS17\Application Data\360SE
c:\documents and settings\AUS17\Application Data\360SE\360se.ini
c:\documents and settings\AUS17\Application Data\360SE\data\360sefav.db
c:\documents and settings\AUS17\Application Data\360SE\data\DailyBackup\360sefav_2010_07_02.favdb
c:\documents and settings\AUS17\Application Data\360SE\data\history.dat
c:\documents and settings\AUS17\Application Data\360SE\data\ico\avc.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\cn.bing.com.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\cz.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\ddt.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\dgcs.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\dh.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\farm.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\hao.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\hero.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\mcsd.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\me.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\plsm.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\poker.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\se.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\search8.taobao.com.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\www.baidu.com.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\www.google.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\www.qihoo.com.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\www.sogou.com.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\www.youdao.com.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\wxfy.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\yahoo.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\ico\zqjl.wan.360.cn.ico
c:\documents and settings\AUS17\Application Data\360SE\data\user.dat
c:\documents and settings\AUS17\Application Data\360SE\extensions\ExtAddons\ExtStats.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\ExtAddons\ExtStats.ini.cfg
c:\documents and settings\AUS17\Application Data\360SE\extensions\ExtAddons\ganzhi.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\ExtAddons\recommend.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\ExtAdfilter\extadfilter.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\ExtProxy\proxy.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\Favorites\Favorites.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\Favorites\Log\360log_2010_07_02.log
c:\documents and settings\AUS17\Application Data\360SE\extensions\SafeCentral\esimple.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\SafeCentral\SafeCentral.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\SafeCentral\SafeProtect.dat
c:\documents and settings\AUS17\Application Data\360SE\extensions\SafeCentral\sc.ini
c:\documents and settings\AUS17\Application Data\360SE\extensions\SafeCentral\urllib.dat
c:\documents and settings\AUS17\Application Data\360SE\stat.ini
c:\documents and settings\AUS17\Application Data\360SE\Update\extdoctor.zip
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\system32\_000005_.tmp.dll
F:\360Downloads
G:\360Downloads
H:\360Downloads
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SAFEBOXKRNL
-------\Legacy_ZHUDONGFANGYU
-------\Service_SafeBoxKrnl
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-06-01 13:40 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-01 13:40 . 2011-06-01 13:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-01 00:17 . 2011-06-01 00:17 -------- d--h--w- c:\windows\PIF
2011-05-31 01:40 . 2001-05-26 19:16 13824 ----a-w- c:\windows\system32\LAYOUT.DLL
2011-05-30 16:57 . 2011-05-30 16:57 -------- d-----w- c:\documents and settings\AUS17\Local Settings\Application Data\Threat Expert
2011-05-30 16:43 . 2011-05-30 17:09 -------- d-----w- c:\program files\PC Tools Security
2011-05-30 16:40 . 2011-05-30 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-05-30 11:21 . 2011-05-30 11:21 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-05-30 00:37 . 2011-06-01 00:37 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 00:37 . 2011-05-30 00:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-30 00:35 . 2011-05-30 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-05-28 13:14 . 2011-05-28 13:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-15 18:47 . 2011-04-15 18:47 47616 ----a-w- c:\windows\system32\wuwuninst.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-10 282624]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-01-09 86016]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-07-13 20:01 169264 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\AUS17\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\QuoteTracker\\stocks.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SAS\\SASFoundation\\9.2\\sas.exe"=
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"f:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service
.
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [12/15/2010 5:22 PM 127744]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [6/25/2007 12:19 PM 229592]
R3 EraserUtilDrv11110;EraserUtilDrv11110;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [6/4/2011 7:59 AM 105592]
S1 EfiMon;EfiSystemMon;c:\windows\system32\Drivers\Efimon.sys --> c:\windows\system32\Drivers\Efimon.sys [?]
S3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [12/15/2010 5:21 PM 36224]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/1/2011 9:40 AM 39984]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/24/2006 6:38 PM 196409]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [12/15/2010 5:21 PM 134912]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ArcRec
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-03-17 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\AUS17\Application Data\Mozilla\Firefox\Profiles\ri0rdfah.Default User\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - Ext: UnMHT: {f759ca51-3a91-4dd1-ae78-9db5eee9ebf0} - %profile%\extensions\{f759ca51-3a91-4dd1-ae78-9db5eee9ebf0}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - %profile%\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
FF - Ext: LiveClick: {d166ee2a-36bb-4f33-aff7-e85f912df509} - %profile%\extensions\{d166ee2a-36bb-4f33-aff7-e85f912df509}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-06 10:39
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanning hidden processes ...
.
Scanning hidden autostart entries ...
.
Scanning hidden files ...
.
scan completed sucessfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2044)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\10.00\Hummingbird Neighborhood\heshell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2011-06-06 10:44:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-06 14:44
ComboFix2.txt 2008-01-06 09:26
ComboFix3.txt 2008-01-04 09:23
ComboFix4.txt 2008-01-06 09:17
ComboFix5.txt 2011-06-06 14:28
.
Pre-Run: 134,471,454,720 bytes free
Post-Run: 134,500,360,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 2E4F460FD5EF901F8B9E157CC1110754

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:04 PM

Posted 06 June 2011 - 11:26 AM

Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\windows\system32\wuwuninst.exe

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 dawnriver

dawnriver
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 06 June 2011 - 12:25 PM

Thank you! Here is the report.


VirSCAN.org Scanned Report :
Scanned time : 2011/06/06 13:20:14 (EDT)
Scanner results: Scanners did not find malware!
File Name : wuwuninst.exe
File Size : 47616 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 68d5a5add2e63e6552e7b52b844982ea
SHA1 : 3f42c7ac06d7bb4239cdab564f9b7275fbcaefac
Online report : http://file.virscan.org/report/ac24355161fbccc390cd0a344dfebf27.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110606225145 2011-06-06 8.16 -
AhnLab V3 2011.06.07.00 2011.06.07 2011-06-07 7.90 -
AntiVir 8.2.5.12 7.11.9.58 2011-06-06 0.29 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.13 -
Arcavir 2011 201105080215 2011-05-08 0.04 -
Authentium 5.1.1 201106051559 2011-06-05 1.62 -
AVAST! 4.7.4 110606-0 2011-06-06 0.01 -
AVG 8.5.850 271.1.1/3678 2011-06-03 0.68 -
BitDefender 7.90123.7406640 7.37559 2011-05-24 0.00 -
ClamAV 0.96.5 13150 2011-06-06 0.03 -
Comodo 4.0 8971 2011-06-06 2.62 -
CP Secure 1.3.0.5 2011.06.04 2011-06-04 0.00 -
Dr.Web 5.0.2.3300 2011.06.06 2011-06-06 12.63 -
F-Prot 4.4.4.56 20110605 2011-06-05 1.55 -
F-Secure 7.02.73807 2011.06.06.04 2011-06-06 0.22 -
Fortinet 4.2.257 13.297 2011-06-06 0.86 -
GData 22.552/22.146 20110606 2011-06-06 17.30 -
ViRobot 20110604 2011.06.04 2011-06-04 0.44 -
Ikarus T3.1.32.20.0 2011.06.06.78544 2011-06-06 4.92 -
JiangMin 13.0.900 2011.06.01 2011-06-01 3.02 -
Kaspersky 5.5.10 2011.06.06 2011-06-06 0.11 -
KingSoft 2009.2.5.15 2011.6.6.9 2011-06-06 0.86 -
McAfee 5400.1158 6368 2011-06-05 9.70 -
Microsoft 1.6903 2011.06.06 2011-06-06 21.04 -
NOD32 3.0.21 6179 2011-06-04 0.05 -
Norman 6.07.08 6.07.00 2011-06-05 18.02 -
Panda 9.05.01 2011.06.06 2011-06-06 3.78 -
Trend Micro 9.200-1012 8.206.08 2011-06-06 0.05 -
Quick Heal 11.00 2011.06.06 2011-06-06 6.62 -
Rising 20.0 23.60.03.09 2011-06-03 0.88 -
Sophos 3.20.2 4.66 2011-06-07 4.09 -
Sunbelt 3.9.2494.2 9503 2011-06-06 3.43 -
Symantec 1.3.0.24 20110605.002 2011-06-05 0.08 -
nProtect 20110601.01 3460661 2011-06-01 8.11 -
The Hacker 6.7.0.1 v00176 2011-04-18 0.51 -
VBA32 3.12.16.0 20110606.0905 2011-06-06 5.36 -
VirusBuster 5.3.0.4 14.0.70.0/5298313 2011-06-06 0.00 -

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:04 PM

Posted 07 June 2011 - 06:51 AM

We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

FileLook::
c:\WINDOWS\system32\javaw.exe

DDS::
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 dawnriver

dawnriver
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 07 June 2011 - 09:44 AM

Thank you Sempai. I've attached the compressed report file since it's too big.

Attached Files



#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:04 PM

Posted 08 June 2011 - 06:49 AM

How's the computer running?


=====================================


ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 dawnriver

dawnriver
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 08 June 2011 - 12:39 PM

Thank you! My computer seems to be normal since I ran combofix on Monday. Below is the log of ESET online scanner.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6522
# api_version=3.0.2
# EOSSerial=e40b7d77a308f148ad19f00573e39272
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-08 05:25:33
# local_time=2011-06-08 01:25:33 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=295972
# found=8
# cleaned=0
# scan_time=16484
C:\Documents and Settings\AUS17\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-3d4578de Java/TrojanDownloader.Agent.ME trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\AUS17\Application Data\Sun\Java\Deployment\cache\6.0\48\9194470-2b125c83 a variant of Win32/Kryptik.OLW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\AUS17\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_006c23 a variant of Win32/HackTool.PDAunlock.A application (unable to clean) 00000000000000000000000000000000 I
C:\MGtools\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AAE4D03B-96C3-46D5-91C4-AA0AD7DD692F}\RP1205\A1416194.exe a variant of Win32/Kryptik.OLW trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AAE4D03B-96C3-46D5-91C4-AA0AD7DD692F}\RP1206\A1416391.sys Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I
F:\My Documents\Downloads\RhodiumW-HardSPL_V1_10R3_100HSPL.zip a variant of Win32/HackTool.PDAunlock.A application (unable to clean) 00000000000000000000000000000000 I
G:\MGtools\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:04 PM

Posted 09 June 2011 - 07:18 AM

Hi,

Do you still need the MGtools from MajorGeeks? If not you can delete them.


=================================


1. We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".

    :Files
    C:\Documents and Settings\AUS17\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-3d4578de
    C:\Documents and Settings\AUS17\Application Data\Sun\Java\Deployment\cache\6.0\48\9194470-2b125c83
    C:\Documents and Settings\AUS17\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_006c23
    F:\My Documents\Downloads\RhodiumW-HardSPL_V1_10R3_100HSPL.zip
    
    :Commands
    [emptytemp]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


2. Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by sempai, 09 June 2011 - 07:22 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 dawnriver

dawnriver
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 09 June 2011 - 10:31 AM

Hi Sempai,

I've deleted MGtools. Thank you!

Here is the OTM report:

All processes killed
========== FILES ==========
C:\Documents and Settings\AUS17\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-3d4578de moved successfully.
C:\Documents and Settings\AUS17\Application Data\Sun\Java\Deployment\cache\6.0\48\9194470-2b125c83 moved successfully.
File/Folder C:\Documents and Settings\AUS17\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_006c23 not found.
F:\My Documents\Downloads\RhodiumW-HardSPL_V1_10R3_100HSPL.zip moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AUS17
->Temp folder emptied: 948938 bytes
->Temporary Internet Files folder emptied: 36522841 bytes
->Java cache emptied: 48828844 bytes
->FireFox cache emptied: 103038545 bytes
->Google Chrome cache emptied: 299485880 bytes
->Flash cache emptied: 3021520 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 31357457 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 501.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 06092011_090511




Here is the MBAM report:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6818

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/9/2011 11:23:09 AM
mbam-log-2011-06-09 (11-23-09).txt

Scan type: Full scan (C:\|F:\|G:\|H:\|)
Objects scanned: 434477
Time elapsed: 1 hour(s), 57 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{aae4d03b-96c3-46d5-91c4-aa0ad7dd692f}\RP1205\A1416194.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
f:\_OTM\movedfiles\06092011_090511\c_documents and settings\AUS17\application data\Sun\Java\deployment\cache\6.0\48\9194470-2b125c83 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:04 PM

Posted 09 June 2011 - 01:10 PM

Just a few more steps please, we're almost done.


1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 26 (JDK or JRE).
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".

    • Select "Windows x86 Offline" and click on jre-6u26-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.



2. Update Adobe Reader so you will not become vulnerable for infections.
  • Uninstall your old version of Adobe Reader.
  • Download the latest version of Adobe Reader. --> HERE
  • Click download to download the file and install it by following the prompts.



3. Please run another DDS scan and post the new report for my final review. No need for the attach.txt.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 dawnriver

dawnriver
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 09 June 2011 - 02:41 PM

Hi Sempai,
Thank you so much. I've updated Java and Adobe Reader. Here is the DDS scan report.


.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by AUS17 at 15:34:49 on 2011-06-09
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2046.1477 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160421393734
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{FCA9C56F-10C1-4E22-8BD7-8BF090E05596} : DhcpNameServer = 192.168.1.1 192.168.1.1
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\aus17\application data\mozilla\firefox\profiles\ri0rdfah.default user\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\aus17\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: UnMHT: {f759ca51-3a91-4dd1-ae78-9db5eee9ebf0} - %profile%\extensions\{f759ca51-3a91-4dd1-ae78-9db5eee9ebf0}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - %profile%\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
FF - Ext: LiveClick: {d166ee2a-36bb-4f33-aff7-e85f912df509} - %profile%\extensions\{d166ee2a-36bb-4f33-aff7-e85f912df509}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2010-12-15 127744]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-6-25 229592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110608.002\naveng.sys [2011-6-9 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110608.002\navex15.sys [2011-6-9 1542392]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
S1 EfiMon;EfiSystemMon;c:\windows\system32\drivers\efimon.sys --> c:\windows\system32\drivers\Efimon.sys [?]
S3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-12-15 36224]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-1 39984]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2006-11-24 196409]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-10 280344]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-12-15 134912]
.
=============== Created Last 30 ================
.
2011-06-09 19:10:31 29544 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll
2011-06-09 19:07:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-09 19:07:39 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-06-09 19:07:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-09 13:19:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-08 12:47:34 -------- d-----w- c:\program files\ESET
2011-06-06 14:31:00 -------- d-sha-r- C:\cmdcons
2011-06-06 14:28:11 208896 ----a-w- c:\windows\MBR.exe
2011-06-06 14:28:10 256512 ----a-w- c:\windows\PEV.exe
2011-06-01 13:40:26 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-01 13:40:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-01 00:17:12 -------- d--h--w- c:\windows\PIF
2011-05-31 01:40:02 13824 ----a-w- c:\windows\system32\LAYOUT.DLL
2011-05-30 16:57:36 -------- d-----w- c:\documents and settings\aus17\local settings\application data\Threat Expert
2011-05-30 16:43:01 -------- d-----w- c:\program files\PC Tools Security
2011-05-30 16:40:39 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-05-30 11:21:11 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-05-30 00:37:05 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 00:37:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-30 00:35:53 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-05-28 13:14:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-04-15 18:47:16 47616 ----a-w- c:\windows\system32\wuwuninst.exe
.
============= FINISH: 15:35:52.14 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users