Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seeing popups & redirect for prize giveaways on IE open


  • This topic is locked This topic is locked
18 replies to this topic

#1 rocketm59

rocketm59

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 24 August 2011 - 06:56 AM

I keep seeing a new IE window open with pop-up for prize giveaways upon opening browser. I also had a google redirect virus, which I believe malwarebytes removed. I am still experiencing CPU spikes and apparent network activity (viewing network icon) without doing any activity on the computer.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 15:47:18 on 2011-08-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.664 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Plaxo\3.27.0.12\PlaxoHelper_en.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Sprint virtual assistant\bin\mpbtn.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [PlaxoUpdate] c:\documents and settings\administrator\local settings\application data\plaxo\3.27.0.12\PlaxoHelper_en.exe -a
uRun: [PlaxoSysTray] c:\documents and settings\administrator\local settings\application data\plaxo\3.27.0.12\PlaxoSysTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Motive SmartBridge] c:\progra~1\sprint~1\smartb~1\SprintDSLAlert.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~2.lnk - c:\ups\wstd\WSTDMessaging.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~1.lnk - c:\ups\wstd\wstdPldReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\virtua~1.lnk - c:\program files\sprint virtual assistant\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vision~1.lnk - c:\program files\common files\vision\vservice.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: exxonmobil.com\www.signum
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179489036062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://emupst7.webex.com/client/T25L10NSP41EP7-LOCKDOWN/webex/ieatgpc.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{01EF708B-9E21-414B-B3A2-36090FB0ECB5} : NameServer = 205.244.194.36,4.2.2.2
TCP: Interfaces\{01EF708B-9E21-414B-B3A2-36090FB0ECB5} : DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Zone Hook: {24a42960-a7f8-11cf-8121-0020afb5213d} - c:\progra~1\vision\system\zonehook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\a8edbace.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e0a15f7&v=7.007.026.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-30 1247600]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-1-13 6016]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-20 136176]
S2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2003-3-30 14336]
S2 TermServices;Remote Desktop Services;c:\windows\system32\svchost.exe -k torlfsc [2003-3-30 14336]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-6-28 1025352]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 FBIKB_NT;FBIKB_NT;\??\c:\windows\system32\drivers\fbikb_nt.sys --> c:\windows\system32\drivers\FBIKB_NT.Sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-20 136176]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-4 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-4 40552]
S3 PCG_NT;PCG_NT;\??\d:\pcg_nt.sys --> d:\PCG_NT.SYS [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
=============== Created Last 30 ================
.
2011-08-23 12:40:12 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-08-23 12:40:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-23 12:40:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-23 12:39:56 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 12:39:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-22 17:54:35 -------- d-----w- c:\documents and settings\administrator\application data\AVG
2011-08-10 14:20:19 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 14:19:31 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-16 11:08:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-15 18:42:30 72080 ----a-w- c:\documents and settings\administrator\g2mdlhlpx.exe
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 15:34:58 691311 ----a-w- c:\program files\unins000.exe
2006-03-20 21:37:27 12174713 -c--a-w- c:\program files\sfvaInstall.exe
2006-03-20 21:27:55 6631656 -c--a-w- c:\program files\MSJavx86.exe
2006-03-20 20:35:08 2414034 -c--a-w- c:\program files\acu62p.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5E24D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5e87d0]; MOV EAX, [0x8a5e884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A6D6AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000006c[0x8A6CFBC8]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A6DAD98]
\Driver\atapi[0x8A680310] -> IRP_MJ_CREATE -> 0x8A5E24D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { CLI ; XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; PUSH AX; POP ES; PUSH AX; POP DS; STI ; CLD ; MOV DI, 0x600; MOV CX, 0x100; REPNZ MOVSW ; JMP FAR 0x0:0x61d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5E231B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:49:23.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:53 PM

Posted 26 August 2011 - 07:17 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 29 August 2011 - 08:40 AM

I ran combofix and a pop up warning appears stating Master Boot Record is infected! Make sure your antivirus programs are disabled before clicking OK.

clicked ok and a rootkit warning appears and reboots. After reboot, combofix appears to be running but nothing happens and no programs/shortcuts appear on desktop.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:53 PM

Posted 29 August 2011 - 09:32 AM

give it a while

It can take a very long time sometimes

if you still don't see any activity after about an hour then go into task manager and look for processes pev.exe sed.exe 3xE.exe and end process

then boot into safe mode and give it another go

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 29 August 2011 - 12:12 PM

ComboFix 11-08-29.01 - Administrator 08/29/2011 12:27:47.1.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1796 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\v97
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
.
.
2011-08-25 17:25 . 2011-08-25 17:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-23 18:39 . 2011-08-23 18:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-08-23 12:40 . 2011-08-23 12:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-23 12:40 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-23 12:40 . 2011-08-23 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-23 12:39 . 2011-08-23 12:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-23 12:39 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 17:54 . 2011-08-22 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG
2011-08-22 17:53 . 2011-08-22 20:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-08-19 16:22 . 2011-08-19 16:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-10 14:20 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 14:19 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 11:08 . 2011-05-18 11:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2003-03-31 01:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-03-31 01:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2003-03-31 01:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 01:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 01:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-03-31 01:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2003-03-31 01:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 15:34 . 2010-12-14 15:35 691311 ----a-w- c:\program files\unins000.exe
2006-03-20 21:37 . 2006-03-20 21:37 12174713 -c--a-w- c:\program files\sfvaInstall.exe
2006-03-20 21:27 . 2006-03-20 21:27 6631656 -c--a-w- c:\program files\MSJavx86.exe
2006-03-20 20:35 . 2006-03-20 20:35 2414034 -c--a-w- c:\program files\acu62p.exe
2011-07-07 11:58 . 2011-03-28 14:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="c:\documents and settings\Administrator\Local Settings\Application Data\Plaxo\3.27.0.12\PlaxoHelper_en.exe" [2011-05-25 833928]
"PlaxoSysTray"="c:\documents and settings\Administrator\Local Settings\Application Data\Plaxo\3.27.0.12\PlaxoSysTray.exe" [2011-05-25 15752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-10 5058560]
"nwiz"="nwiz.exe" [2003-10-10 741376]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Motive SmartBridge"="c:\progra~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe" [2010-05-18 483415]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-29 282624]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2009-12-02 24576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-02 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 422912]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]
Virtual Assistant.lnk - c:\program files\Sprint virtual assistant\bin\matcli.exe [2006-3-20 212992]
Vision Services.lnk - c:\program files\Common Files\Vision\vservice.exe [2004-6-3 626688]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{24A42960-A7F8-11CF-8121-0020AFB5213D}"= "c:\progra~1\Vision\SYSTEM\zonehook.dll" [2000-07-04 36864]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Vision\\vservice.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 248656]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG10\avgfws.exe [3/9/2011 7:24 PM 2708024]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2011 10:55 AM 136176]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [3/30/2003 9:00 PM 14336]
S2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
S2 TermServices;Remote Desktop Services;c:\windows\System32\svchost.exe -k torlfsc [3/30/2003 9:00 PM 14336]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [1/13/2009 4:34 PM 6016]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [6/28/2011 1:57 PM 1025352]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 4:33 AM 30432]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 4:33 AM 30432]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]
S3 FBIKB_NT;FBIKB_NT;\??\c:\windows\System32\Drivers\FBIKB_NT.Sys --> c:\windows\System32\Drivers\FBIKB_NT.Sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2011 10:55 AM 136176]
S3 PCG_NT;PCG_NT;\??\d:\pcg_nt.sys --> d:\PCG_NT.SYS [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
torlfsc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-20 14:55]
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-20 14:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: exxonmobil.com\www.signum
TCP: DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a8edbace.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e0a15f7&v=7.007.026.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ActiveTouchMeetingClient - c:\windows\DOWNLO~1\atcliun.exe
AddRemove-Foss_for_WorldShipDom - c:\ups\uows\FOSS\Foss90Uninst.isu
AddRemove-UPS Formatted Output SubSystem (FOSS) v3.0.0.0 - c:\ups\uows\FOSSUninstall.isu
AddRemove-UPS Internet Communication Manager (UPSLNKMG) - c:\ups\uows\COMMUninstall.isu
AddRemove-UPS Reference Rate Utility () v1.0.0.0 - c:\ups\UOWS\RRUUninstall.isu
AddRemove-UPS Server Based Services (SBS) v1.0.0.1 - c:\ups\uows\SBSUninstall.isu
AddRemove-UPS UPS Address Validator () v1.0.0 - c:\ups\UOWS\AddrValUninstall.isu
AddRemove-UPS UPS OnLine WorldShip QuickDoc () v2.0.0 - c:\ups\UOWS\QDOCUninstall.isu
AddRemove-UPS UPS OnLine WorldShip RAVE () v2.0.0 - c:\ups\UOWS\RAVEUninstall.isu
AddRemove-Adobe Digital Editions - c:\documents and settings\administrator\application data\macromedia\flash player\www.macromedia.com\bin\digitaleditions1x5\digitaleditions1x5.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-29 12:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1621890756-3713334835-4076447184-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4a,7b,08,de,1c,fd,47,99,f7,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,5a,c4,17,4f,6f,33,4d,b7,64,40,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4a,7b,08,de,1c,fd,47,99,f7,70,\
.
Completion time: 2011-08-29 12:57:32
ComboFix-quarantined-files.txt 2011-08-29 16:57
.
Pre-Run: 47,309,443,072 bytes free
Post-Run: 48,605,085,696 bytes free
.
- - End Of File - - 83A60F5C77C3A985839E157ABE21E8E7

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:53 PM

Posted 29 August 2011 - 07:20 PM

Hi

Please do the following:


submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\program files\sfvaInstall.exe
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


Make sure you have copied and saved the results before continuing.

Please do the same for the following files
c:\program files\MSJavx86.exe
c:\program files\acu62p.exe

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 30 August 2011 - 06:28 AM

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: sfvaInstall.exe
Submission date: 2011-08-30 11:21:23 (UTC)
Current status: queued queued analysing finished


Result: 3/ 41 (7.3%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.08.30.00 2011.08.30 -
AntiVir 7.11.14.29 2011.08.30 -
Antiy-AVL 2.0.3.7 2011.08.30 RiskWare/RemoteAdmin.WinVNC-based.gen
Avast 4.8.1351.0 2011.08.30 -
Avast5 5.0.677.0 2011.08.30 -
AVG 10.0.0.1190 2011.08.30 -
BitDefender 7.2 2011.08.30 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.30 -
ClamAV 0.97.0.0 2011.08.30 -
Commtouch 5.3.2.6 2011.08.30 -
Comodo 9929 2011.08.30 -
Emsisoft 5.1.0.10 2011.08.30 -
eTrust-Vet 36.1.8530 2011.08.30 -
F-Prot 4.6.2.117 2011.08.30 -
F-Secure 9.0.16440.0 2011.08.30 -
Fortinet 4.3.370.0 2011.08.30 -
GData 22 2011.08.30 -
Ikarus T3.1.1.107.0 2011.08.30 -
Jiangmin 13.0.900 2011.08.29 -
K7AntiVirus 9.111.5068 2011.08.29 -
Kaspersky 9.0.0.837 2011.08.30 not-a-virus:RemoteAdmin.Win32.WinVNC-based.b
McAfee 5.400.0.1158 2011.08.30 -
McAfee-GW-Edition 2010.1D 2011.08.30 -
Microsoft 1.7604 2011.08.30 -
NOD32 6421 2011.08.30 -
nProtect 2011-08-30.01 2011.08.30 -
Panda 10.0.3.5 2011.08.30 -
PCTools 8.0.0.5 2011.08.30 -
Prevx 3.0 2011.08.30 -
Rising 23.73.01.03 2011.08.30 Trojan.Win32.Generic.12702AF8
Sophos 4.68.0 2011.08.30 -
SUPERAntiSpyware 4.40.0.1006 2011.08.30 -
Symantec 20111.2.0.82 2011.08.30 -
TheHacker 6.7.0.1.286 2011.08.29 -
TrendMicro 9.500.0.1008 2011.08.30 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.30 -
VBA32 3.12.16.4 2011.08.30 -
VIPRE 10315 2011.08.30 -
ViRobot 2011.8.30.4647 2011.08.30 -
VirusBuster 14.0.191.0 2011.08.29 -
Additional informationShow all
MD5 : a900edb159dccd5f87db5dc6e9159ac4
SHA1 : 808331a44d51b243d8a7fb2aad81374eb16ed2c3
SHA256: 078eaff6500bb05e216d3ccdb216e604aa452d2d9ff1db8444119c988a0f3f73
ssdeep: 196608:vxIRHSfJiyTR83cL3af6h4Rlk3ALxBmNHquTu7ljkh1NV1+43dQUukdIVBSDb2P4:vyR
Hi9sfAUlk3A9BmNHqkA21NVg42Ydp
File size : 12174713 bytes
First seen: 2011-08-30 11:21:23
Last seen : 2011-08-30 11:21:23
TrID:
Wise Installer executable (88.1%)
Win64 Executable Generic (9.5%)
Win32 Executable Generic (0.9%)
Win32 Dynamic Link Library (generic) (0.8%)
Generic Win/DOS Executable (0.2%)
sigcheck:
publisher....: Motive Communications
copyright....: Data Operations Team
product......: n/a
description..: Sprint virtual assistant
original name: n/a
internal name: n/a
file version.: 1.0.0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x21AF
timedatestamp....: 0x3BD86C3F (Thu Oct 25 19:47:11 2001)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x2126, 0x2200, 6.19, c71643c087e2557d0b1d36c694eccccf
.rdata, 0x4000, 0x779, 0x800, 4.78, d026ce795e3c5fa0e2c0bce1de427a45
.data, 0x5000, 0x478, 0x400, 3.96, c7c41671d08e5cd17ae9b12731e3de24
.rsrc, 0x6000, 0x640, 0x800, 2.88, 011a4bb69e490e04a6653697e7e77b9f

[[ 4 import(s) ]]
KERNEL32.dll: lstrcpyA, GetCommandLineA, SetErrorMode, lstrlenA, MulDiv, GetTempFileNameA, GetWindowsDirectoryA, GetModuleFileNameA, GetModuleHandleA, FormatMessageA, lstrcatA, GetLastError, _lwrite, _llseek, GlobalUnlock, _lopen, GlobalAlloc, GlobalFree, _lclose, _lcreat, LoadLibraryA, GetProcAddress, FreeLibrary, OpenFile, GetVersionExA, GetCurrentProcess, WinExec, ExitProcess, _lread, LocalFree, GetTempPathA, GlobalLock
USER32.dll: GetDC, BeginPaint, EndPaint, InvalidateRect, PostQuitMessage, SendMessageA, DefWindowProcA, GetClientRect, CreateWindowExA, DrawTextA, ReleaseDC, ShowWindow, SetWindowPos, UpdateWindow, SetTimer, LoadIconA, wsprintfA, MessageBoxA, ExitWindowsEx, RegisterClassA, LoadCursorA
GDI32.dll: DeleteObject, GetStockObject, GetDeviceCaps, PatBlt, CreateSolidBrush, TextOutA, SetTextColor, SetBkMode, SelectObject, StretchDIBits, CreateFontA, RealizePalette, SelectPalette, CreatePalette
ADVAPI32.dll: OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA

[[ 2 export(s) ]]
_MainWndProc@16, _StubFileWrite@12

ExifTool:
file metadata
CharacterSet: Windows, Latin1
CodeSize: 8704
CompanyName: Motive Communications
EntryPoint: 0x21af
FileFlagsMask: 0x003f
FileOS: Windows 16-bit
FileSize: 12 MB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 1.0.0
FileVersionNumber: 1.0.0.0
ImageVersion: 4.0
InitializedDataSize: 5632
LanguageCode: English (U.S.)
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
PEType: PE32
ProductVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2001:10:25 21:47:11+02:00
UninitializedDataSize: 0
XXXXXX: |,LegalCopyright
XXXXXXXXXXXXXXXXXX: ,FileDescription
aOperationsTeam: XXXXXXXXXXXXXXXXXXXXX
intvirtualassistant: XXXXXXXXXXXXXXXXX

Symantec reputation:Suspicious.Insight


VT Community

0
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team

#8 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 30 August 2011 - 06:33 AM

File name: MSJavx86.exe
Submission date: 2011-08-30 11:18:41 (UTC)
Current status: queued queued analysing finished


Result: 1/ 42 (2.4%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.08.30.00 2011.08.30 -
AntiVir 7.11.14.29 2011.08.30 -
Antiy-AVL 2.0.3.7 2011.08.30 -
Avast 4.8.1351.0 2011.08.30 -
Avast5 5.0.677.0 2011.08.30 -
AVG 10.0.0.1190 2011.08.30 -
BitDefender 7.2 2011.08.30 -
ByteHero 1.0.0.1 2011.08.28 -
CAT-QuickHeal None 2011.08.30 -
ClamAV 0.97.0.0 2011.08.30 -
Commtouch 5.3.2.6 2011.08.30 -
Comodo 9929 2011.08.30 -
Emsisoft 5.1.0.10 2011.08.30 -
eSafe 7.0.17.0 2011.08.29 Virus in password protected archive
eTrust-Vet 36.1.8530 2011.08.30 -
F-Prot 4.6.2.117 2011.08.30 -
F-Secure 9.0.16440.0 2011.08.30 -
Fortinet 4.3.370.0 2011.08.30 -
GData 22 2011.08.30 -
Ikarus T3.1.1.107.0 2011.08.30 -
Jiangmin 13.0.900 2011.08.29 -
K7AntiVirus 9.111.5068 2011.08.29 -
Kaspersky 9.0.0.837 2011.08.30 -
McAfee-GW-Edition 2010.1D 2011.08.30 -
Microsoft 1.7604 2011.08.30 -
NOD32 6421 2011.08.30 -
Norman 6.07.10 2011.08.30 -
nProtect 2011-08-30.01 2011.08.30 -
Panda 10.0.3.5 2011.08.30 -
PCTools 8.0.0.5 2011.08.30 -
Prevx 3.0 2011.08.30 -
Rising 23.73.01.03 2011.08.30 -
Sophos 4.68.0 2011.08.30 -
SUPERAntiSpyware 4.40.0.1006 2011.08.30 -
Symantec 20111.2.0.82 2011.08.30 -
TheHacker 6.7.0.1.286 2011.08.29 -
TrendMicro 9.500.0.1008 2011.08.30 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.30 -
VBA32 3.12.16.4 2011.08.30 -
VIPRE 10315 2011.08.30 -
ViRobot 2011.8.30.4647 2011.08.30 -
VirusBuster 14.0.191.0 2011.08.29 -
Additional informationShow all
MD5 : a53ed0f98df9825e996b7e559202fcd8
SHA1 : ccb3d04e7ffdba59974827784e7a964d494d6e49
SHA256: 9ff6fbdf25961302503baf6f623c86d5f38d31388ed9d48a74f8b76050c16aae
ssdeep: 196608:3/Bb2LNlTHhzPQy+8Mq0ACeJs0NYthsrIndkW56LYb:3pb2LfdYybrJs7HsreJv
File size : 6631656 bytes
First seen: 2011-08-30 11:18:41
Last seen : 2011-08-30 11:18:41
TrID:
InstallShield setup (45.1%)
Win32 Executable MS Visual C++ (generic) (39.5%)
Win32 Executable Generic (8.9%)
Win16/32 Executable Delphi generic (2.1%)
Generic Win/DOS Executable (2.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright © Microsoft Corp. 1996-1999
product......: Microsoft VM
description..: Microsoft VM
original name: MSJavx86.exe
internal name: MSJavx86.exe
file version.: 5.00.3177
comments.....: n/a
signers......: Microsoft Corporation
VeriSign Commercial Software Publishers CA
signing date.: 22:34 02/04/1999
verified.....: -

packers (F-Prot): SFX
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2749
timedatestamp....: 0x34C749E7 (Thu Jan 22 13:30:15 1998)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x8EF8, 0x9000, 6.51, 46f3663d7585ce5bf7bd32f62e604640
.data, 0xA000, 0x1C0C, 0x400, 4.10, a8800423228f9a86657c80297a8ce5f0
.rsrc, 0xC000, 0x647000, 0x646E00, 8.00, d9046a41d90ed7e15ca33cb9b223d540

[[ 6 import(s) ]]
ADVAPI32.dll: RegCloseKey, EqualSid, AllocateAndInitializeSid, GetTokenInformation, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA, FreeSid, RegDeleteValueA, RegOpenKeyExA, RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegQueryInfoKeyA
KERNEL32.dll: lstrcatA, GetFileAttributesA, GetShortPathNameA, GetPrivateProfileStringA, GetPrivateProfileIntA, GetCurrentProcess, lstrlenA, lstrcmpiA, lstrcpyA, GetModuleFileNameA, FreeLibrary, LocalAlloc, GetLastError, GetSystemDirectoryA, LoadLibraryA, FindClose, FindNextFileA, DeleteFileA, SetFileAttributesA, lstrcmpA, FindFirstFileA, _lclose, _llseek, _lopen, GetWindowsDirectoryA, GetProcAddress, RemoveDirectoryA, GlobalUnlock, GlobalLock, GlobalAlloc, ExitProcess, GetModuleHandleA, GetStartupInfoA, CloseHandle, LoadResource, FindResourceA, CreateMutexA, SetEvent, CreateEventA, SetCurrentDirectoryA, CreateThread, ResetEvent, TerminateThread, GetVersionExA, LocalFree, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, GetTempPathA, FreeResource, LockResource, SizeofResource, CreateFileA, ReadFile, WriteFile, SetFilePointer, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, GetTempFileNameA, GetSystemInfo, GetDiskFreeSpaceA, GetDriveTypeA, lstrcpynA, GetVolumeInformationA, GetCurrentDirectoryA, LoadLibraryExA, GetCommandLineA, CreateDirectoryA, GlobalFree, FormatMessageA, IsDBCSLeadByte
GDI32.dll: GetDeviceCaps
USER32.dll: EndDialog, wsprintfA, ExitWindowsEx, CharNextA, CharUpperA, GetDesktopWindow, SetWindowLongA, GetWindowLongA, CallWindowProcA, GetDlgItem, SetForegroundWindow, SetWindowTextA, SendDlgItemMessageA, EnableWindow, GetDlgItemTextA, SendMessageA, DispatchMessageA, LoadStringA, PeekMessageA, MessageBoxA, CharPrevA, SetWindowPos, ReleaseDC, GetDC, GetWindowRect, ShowWindow, DialogBoxIndirectParamA, SetDlgItemTextA, MessageBeep, MsgWaitForMultipleObjects
COMCTL32.dll: -
VERSION.dll: GetFileVersionInfoSizeA, VerQueryValueA, GetFileVersionInfoA

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 36864
CompanyName: Microsoft Corporation
EntryPoint: 0x2749
FileDescription: Microsoft VM
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 6.3 MB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.00.3177
FileVersionNumber: 5.0.3177.0
ImageVersion: 5.0
InitializedDataSize: 6582784
InternalName: MSJavx86.exe
LanguageCode: English (U.S.)
LegalCopyright: Copyright © Microsoft Corp. 1996-1999
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.0
ObjectFileType: Executable application
OriginalFilename: MSJavx86.exe
PEType: PE32
ProductName: Microsoft VM
ProductVersion: 5.00.3177
ProductVersionNumber: 5.0.3177.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1998:01:22 14:30:15+01:00
UninitializedDataSize: 0



VT Community

0
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team

#9 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 30 August 2011 - 06:36 AM

VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: acu62p.exe
Submission date: 2011-08-30 11:22:31 (UTC)
Current status: queued queued analysing finished


Result: 0/ 43 (0.0%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.08.30.00 2011.08.30 -
AntiVir 7.11.14.29 2011.08.30 -
Antiy-AVL 2.0.3.7 2011.08.30 -
Avast 4.8.1351.0 2011.08.30 -
Avast5 5.0.677.0 2011.08.30 -
AVG 10.0.0.1190 2011.08.30 -
BitDefender 7.2 2011.08.30 -
ByteHero 1.0.0.1 2011.08.28 -
CAT-QuickHeal None 2011.08.30 -
ClamAV 0.97.0.0 2011.08.30 -
Commtouch 5.3.2.6 2011.08.30 -
Comodo 9929 2011.08.30 -
DrWeb 5.0.2.03300 2011.08.30 -
Emsisoft 5.1.0.10 2011.08.30 -
eSafe 7.0.17.0 2011.08.29 -
eTrust-Vet 36.1.8530 2011.08.30 -
F-Prot 4.6.2.117 2011.08.30 -
F-Secure 9.0.16440.0 2011.08.30 -
Fortinet 4.3.370.0 2011.08.30 -
GData 22 2011.08.30 -
Ikarus T3.1.1.107.0 2011.08.30 -
Jiangmin 13.0.900 2011.08.29 -
K7AntiVirus 9.111.5068 2011.08.29 -
Kaspersky 9.0.0.837 2011.08.30 -
McAfee-GW-Edition 2010.1D 2011.08.30 -
Microsoft 1.7604 2011.08.30 -
NOD32 6421 2011.08.30 -
Norman 6.07.10 2011.08.30 -
nProtect 2011-08-30.01 2011.08.30 -
Panda 10.0.3.5 2011.08.30 -
PCTools 8.0.0.5 2011.08.30 -
Prevx 3.0 2011.08.30 -
Rising 23.73.01.03 2011.08.30 -
Sophos 4.68.0 2011.08.30 -
SUPERAntiSpyware 4.40.0.1006 2011.08.30 -
Symantec 20111.2.0.82 2011.08.30 -
TheHacker 6.7.0.1.286 2011.08.29 -
TrendMicro 9.500.0.1008 2011.08.30 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.30 -
VBA32 3.12.16.4 2011.08.30 -
VIPRE 10315 2011.08.30 -
ViRobot 2011.8.30.4647 2011.08.30 -
VirusBuster 14.0.191.0 2011.08.29 -
Additional informationShow all
MD5 : dbb741b5f2ceed822c53988ed922cb2c
SHA1 : 2038b2c0d7f543de7ec41cd4a0ad43b62505f35b
SHA256: 888d80ee9090da132986bbc22416e4b823d51acb252b2b31040d9d5f2c1769c8
ssdeep: 49152:uXrGWPysXdxriba/ijxuCR6AFa59T8OJ3q:uysXdxriGauC44QT8r
File size : 2414034 bytes
First seen: 2011-08-30 11:22:31
Last seen : 2011-08-30 11:22:31
TrID:
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: Indigo Rose Corporation http://www.indigorose.com
copyright....: Copyright © 2000 Indigo Rose Corporation
product......: setup
description..: Setup Factory setup launcher
original name: setup.exe
internal name: setup
file version.: 5.0.1.6
comments.....: This setup code is the property of Indigo Rose Corporation
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: Armadillo v1.71
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2671
timedatestamp....: 0x3C068434 (Thu Nov 29 18:53:40 2001)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x3EB5, 0x4000, 6.49, 0bddd30653fa15ccacd9227ae14e3ca1
.rdata, 0x5000, 0xBF0, 0x1000, 4.41, 729110499d74dcbef55b5810ad25756c
.data, 0x6000, 0x19D8, 0x1000, 5.75, 8f0a9d0a81eb69c017396ec0e4ecd6c1
.rsrc, 0x8000, 0xDF8, 0x1000, 3.27, 0a8bbb579f77bd1d00e0b45382e0b1f7

[[ 3 import(s) ]]
KERNEL32.dll: GetTempPathA, GetModuleFileNameA, CloseHandle, CreateProcessA, WritePrivateProfileStringA, lstrcatA, GetDiskFreeSpaceA, CreateDirectoryA, SetCurrentDirectoryA, lstrcmpA, GetPrivateProfileStringA, _lread, _lwrite, _lcreat, _llseek, _lclose, _lopen, GetSystemDefaultLangID, DeleteFileA, lstrlenA, lstrcpyA, GetFileAttributesA, GetLastError, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, LoadLibraryA, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, WriteFile, RtlUnwind, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, WideCharToMultiByte, GetStringTypeW, GetModuleHandleA, UnhandledExceptionFilter, FreeEnvironmentStringsA, VirtualAlloc, HeapFree, HeapAlloc, ExitProcess, TerminateProcess, GetCurrentProcess, FreeEnvironmentStringsW, VirtualFree, HeapReAlloc, GetStartupInfoA, GetCommandLineA, GetVersion, HeapDestroy, HeapCreate
USER32.dll: RegisterClassA, RegisterClassExA, MsgWaitForMultipleObjects, DefWindowProcA, MessageBoxA, PeekMessageA, PostQuitMessage, BeginPaint, GetClientRect, DrawTextA, EndPaint, PostMessageA, GetMessageA, TranslateMessage, DispatchMessageA, GetDesktopWindow, GetWindowRect, CreateWindowExA, ShowWindow, UpdateWindow, LoadStringA, LoadIconA, LoadCursorA, wsprintfA
GDI32.dll: SetBkMode

ExifTool:
file metadata
CharacterSet: Windows, Latin1
CodeSize: 16384
Comments: This setup code is the property of Indigo Rose Corporation
CompanyName: Indigo Rose Corporation http://www.indigorose.com
EntryPoint: 0x2671
FileDescription: Setup Factory setup launcher
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 2.3 MB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.0.1.6
FileVersionNumber: 5.0.1.6
ImageVersion: 0.0
InitializedDataSize: 16384
InternalName: setup
LanguageCode: English (U.S.)
LegalCopyright: Copyright 2000 Indigo Rose Corporation
LegalTrademarks: Setup Factory is a trademark of Indigo Rose Corporation.
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
OriginalFilename: setup.exe
PEType: PE32
PrivateBuild:
ProductName: setup
ProductVersion: 5.0.1.6
ProductVersionNumber: 5.0.1.6
SpecialBuild:
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2001:11:29 19:53:40+01:00
UninitializedDataSize: 0

Symantec reputation:Suspicious.Insight


VT Community

0
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:53 PM

Posted 30 August 2011 - 04:14 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"torlfsc"=-

Driver::
TermServices


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 31 August 2011 - 07:41 AM

ComboFix 11-08-31.02 - Administrator 08/31/2011 8:14.2.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1795 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-31 )))))))))))))))))))))))))))))))
.
.
2011-08-25 17:25 . 2011-08-25 17:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-23 18:39 . 2011-08-23 18:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-08-23 12:40 . 2011-08-23 12:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-23 12:40 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-23 12:40 . 2011-08-23 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-23 12:39 . 2011-08-23 12:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-23 12:39 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 17:54 . 2011-08-22 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG
2011-08-22 17:53 . 2011-08-22 20:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-08-19 16:22 . 2011-08-19 16:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-10 14:20 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 14:19 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 11:08 . 2011-05-18 11:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2003-03-31 01:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-03-31 01:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2003-03-31 01:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 01:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 01:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-03-31 01:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2003-03-31 01:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 15:34 . 2010-12-14 15:35 691311 ----a-w- c:\program files\unins000.exe
2006-03-20 21:37 . 2006-03-20 21:37 12174713 -c--a-w- c:\program files\sfvaInstall.exe
2006-03-20 21:27 . 2006-03-20 21:27 6631656 -c--a-w- c:\program files\MSJavx86.exe
2006-03-20 20:35 . 2006-03-20 20:35 2414034 -c--a-w- c:\program files\acu62p.exe
2011-07-07 11:58 . 2011-03-28 14:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="c:\documents and settings\Administrator\Local Settings\Application Data\Plaxo\3.27.0.12\PlaxoHelper_en.exe" [2011-05-25 833928]
"PlaxoSysTray"="c:\documents and settings\Administrator\Local Settings\Application Data\Plaxo\3.27.0.12\PlaxoSysTray.exe" [2011-05-25 15752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-10 5058560]
"nwiz"="nwiz.exe" [2003-10-10 741376]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Motive SmartBridge"="c:\progra~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe" [2010-05-18 483415]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-29 282624]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2009-12-02 24576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-02 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 422912]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]
Virtual Assistant.lnk - c:\program files\Sprint virtual assistant\bin\matcli.exe [2006-3-20 212992]
Vision Services.lnk - c:\program files\Common Files\Vision\vservice.exe [2004-6-3 626688]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{24A42960-A7F8-11CF-8121-0020AFB5213D}"= "c:\progra~1\Vision\SYSTEM\zonehook.dll" [2000-07-04 36864]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Vision\\vservice.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 248656]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG10\avgfws.exe [3/9/2011 7:24 PM 2708024]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2011 10:55 AM 136176]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [3/30/2003 9:00 PM 14336]
S2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
S2 TermServices;Remote Desktop Services;c:\windows\System32\svchost.exe -k torlfsc [3/30/2003 9:00 PM 14336]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [1/13/2009 4:34 PM 6016]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [6/28/2011 1:57 PM 1025352]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 4:33 AM 30432]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 4:33 AM 30432]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]
S3 FBIKB_NT;FBIKB_NT;\??\c:\windows\System32\Drivers\FBIKB_NT.Sys --> c:\windows\System32\Drivers\FBIKB_NT.Sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2011 10:55 AM 136176]
S3 PCG_NT;PCG_NT;\??\d:\pcg_nt.sys --> d:\PCG_NT.SYS [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
torlfsc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-20 14:55]
.
2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-20 14:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: exxonmobil.com\www.signum
TCP: DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a8edbace.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e0a15f7&v=7.007.026.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.type - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-31 08:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1621890756-3713334835-4076447184-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4a,7b,08,de,1c,fd,47,99,f7,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,5a,c4,17,4f,6f,33,4d,b7,64,40,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4a,7b,08,de,1c,fd,47,99,f7,70,\
.
Completion time: 2011-08-31 08:33:26
ComboFix-quarantined-files.txt 2011-08-31 12:33
ComboFix2.txt 2011-08-29 16:57
.
Pre-Run: 48,663,326,720 bytes free
Post-Run: 48,717,881,344 bytes free
.
- - End Of File - - EAD4D6DBACA71EB8859AC90C4C6DB012

#12 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 31 August 2011 - 07:45 AM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7619

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/31/2011 8:44:37 AM
mbam-log-2011-08-31 (08-44-37).txt

Scan type: Quick scan
Objects scanned: 190489
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 31 August 2011 - 10:20 AM

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.AJL trojan

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:53 PM

Posted 31 August 2011 - 06:49 PM

Hi

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and save it to your desktop.
  • Scroll down to where it says JDK 7 (JDK or JRE)
  • Click the Download JDK button tunderneath
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Oracle Binary Code License Agreement for Java SE ". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 rocketm59

rocketm59
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 01 September 2011 - 07:31 AM

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Administrator at 8:27:28 on 2011-09-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1404 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Plaxo\3.27.0.12\PlaxoHelper_en.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Sprint virtual assistant\bin\mpbtn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [PlaxoUpdate] c:\documents and settings\administrator\local settings\application data\plaxo\3.27.0.12\PlaxoHelper_en.exe -a
uRun: [PlaxoSysTray] c:\documents and settings\administrator\local settings\application data\plaxo\3.27.0.12\PlaxoSysTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Motive SmartBridge] c:\progra~1\sprint~1\smartb~1\SprintDSLAlert.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~2.lnk - c:\ups\wstd\WSTDMessaging.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~1.lnk - c:\ups\wstd\wstdPldReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\virtua~1.lnk - c:\program files\sprint virtual assistant\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vision~1.lnk - c:\program files\common files\vision\vservice.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: exxonmobil.com\www.signum
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179489036062
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://emupst7.webex.com/client/T25L10NSP41EP7-LOCKDOWN/webex/ieatgpc.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{01EF708B-9E21-414B-B3A2-36090FB0ECB5} : DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Zone Hook: {24a42960-a7f8-11cf-8121-0020afb5213d} - c:\progra~1\vision\system\zonehook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\a8edbace.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e0a15f7&v=7.007.026.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2003-3-30 14336]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-30 1247600]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-1-13 6016]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-20 136176]
S2 TermServices;Remote Desktop Services;c:\windows\system32\svchost.exe -k torlfsc [2003-3-30 14336]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-6-28 1025352]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 FBIKB_NT;FBIKB_NT;\??\c:\windows\system32\drivers\fbikb_nt.sys --> c:\windows\system32\drivers\FBIKB_NT.Sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-20 136176]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-4 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-4 40552]
S3 PCG_NT;PCG_NT;\??\d:\pcg_nt.sys --> d:\PCG_NT.SYS [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
=============== Created Last 30 ================
.
2011-09-01 12:26:26 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Sun
2011-09-01 12:22:39 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-31 12:48:01 -------- d-----w- c:\program files\ESET
2011-08-29 11:39:00 -------- d-sha-r- C:\cmdcons
2011-08-29 11:36:37 98816 ----a-w- c:\windows\sed.exe
2011-08-29 11:36:37 518144 ----a-w- c:\windows\SWREG.exe
2011-08-29 11:36:37 256000 ----a-w- c:\windows\PEV.exe
2011-08-29 11:36:37 208896 ----a-w- c:\windows\MBR.exe
2011-08-23 12:40:12 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-08-23 12:40:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-23 12:40:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-23 12:39:56 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 12:39:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-22 17:54:35 -------- d-----w- c:\documents and settings\administrator\application data\AVG
2011-08-10 14:20:19 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 14:19:31 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-09-01 12:22:20 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-16 11:08:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2010-12-14 15:34:58 691311 ----a-w- c:\program files\unins000.exe
2006-03-20 21:37:27 12174713 -c--a-w- c:\program files\sfvaInstall.exe
2006-03-20 21:27:55 6631656 -c--a-w- c:\program files\MSJavx86.exe
2006-03-20 20:35:08 2414034 -c--a-w- c:\program files\acu62p.exe
.
============= FINISH: 8:28:53.70 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users