Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Hijacked & Need Help Removing/Eradicating


  • This topic is locked This topic is locked
53 replies to this topic

#31 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 04 January 2012 - 01:17 AM

OTL Extras logfile created on: 1/3/2012 6:35:26 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 139.32 Mb Available Physical Memory | 54.85% Memory free
628.96 Mb Paging File | 468.51 Mb Available in Paging File | 74.49% Paging File free
Paging file location(s): C:\pagefile.sys 388 888 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 23.22 Gb Free Space | 62.34% Space Free | Partition Type: NTFS

Computer Name: ATYOURSOS | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"AntiVirusOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe" = C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe:*:Enabled:LeapFrog Connect -- (LeapFrog Enterprises, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe" = C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe:*:Disabled:Fireworks MX -- (Macromedia Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe" = C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe:*:Disabled:Vtech local server -- ()
"C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe" = C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe:*:Enabled:LeapFrog Connect -- (LeapFrog Enterprises, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00C1B233-D218-484B-8078-9375482C5608}" = LeapFrog Tag Plugin
"{018C7ADA-ED29-413F-BE57-2200A0FEFC06}" = Moto Contacts Tool
"{088A077A-8028-408C-AE7B-4512AE2A65A0}" = Canon CanoScan Toolbox 4.6
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 30
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{40C4903E-EDFB-4CAE-A611-41FEBA585921}" = VTech Download Agent Library
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}" = upapp
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{930B2432-43D4-11D5-9871-00C04F8EEB39}" = Macromedia Fireworks MX
"{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}" = MotoHelper MergeModules
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B570E838-81DE-4654-8626-FAC2454B404B}" = Promqry
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BC30E5E7-047D-4232-A7E8-F2CB7CC7B2E0}_is1" = Emsisoft Anti-Malware
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F2CB8C3C-9C9E-4FAB-9067-655601C5F748}" = Windows Mobile Device Updater Component
"{F9D59E62-845F-49A2-8B75-DDB00661673C}" = LeapFrog Connect
"{FB29B583-945C-4094-BB4B-3A405574C560}" = Motorola Mobile Drivers Installation 5.0.0
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"781745E87AFF80C0C1388CFF79D19ECAB2E9BB47" = Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
"8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D" = Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
"ACDSee" = ACDSee
"ACT! 2000" = ACT! 2000
"Adobe AIR" = Adobe AIR
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"CCleaner" = CCleaner
"DVR-530 Digital Camera Driver" = DVR-530 Digital Camera Driver
"DVR-530 User's Manual" = DVR-530 User's Manual
"ESET Online Scanner" = ESET Online Scanner v3
"FreeFixer0.60" = FreeFixer
"HijackThis" = HijackThis 2.0.2
"hp deskjet 5550 series" = hp deskjet 5550 series (Remove only)
"hp deskjet 5550 series_Driver" = hp deskjet 5550 series
"HP Photo Imaging Software" = HP Photo Imaging Software
"HP Photo Printing Software" = HP Photo Printing Software
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"jv16 PowerTools_is1" = jv16 PowerTools 1.3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MotoHelper" = MotoHelper 2.0.46 Driver 5.0.0
"MozBackup_is1" = MozBackup 1.4.5
"Mozilla Firefox 8.0.1 (x86 en-US)" = Mozilla Firefox 8.0.1 (x86 en-US)
"Mozilla Thunderbird (3.0.11)" = Mozilla Thunderbird (3.0.11)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Secunia PSI" = Secunia PSI (2.0.0.4003)
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.4
"TagPlugin" = Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
"TaxACT 2002" = TaxACT 2002
"TaxACT 2005" = TaxACT 2005
"TaxACT 2006" = TaxACT 2006
"TaxACT 2007" = TaxACT 2007
"TaxACT 2008" = TaxACT 2008
"TaxACT 2010" = TaxACT 2010
"TaxACT 2011 - 1040 Edition" = TaxACT 2011 - 1040 Edition
"Timesheets_Express_7" = Timesheet Xpress
"UPCShell" = LeapFrog Connect
"VTechDownloadManager" = Learning Lodge Navigator
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinFax" = Symantec WinFax PRO 10.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/11/2011 4:54:36 AM | Computer Name = ATYOURSOS | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32)
- Failed to compile System.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
because of the following error: Not enough storage is available to complete this
operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).

Error - 12/11/2011 4:54:38 AM | Computer Name = ATYOURSOS | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32)
- 1>Failed to compile: WindowsFormsIntegration, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35 . Error code = 0x8007000e

Error - 12/11/2011 4:54:40 AM | Computer Name = ATYOURSOS | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32)
- 1>Failed to compile: WindowsFormsIntegration, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35 . Error code = 0x8007000e

Error - 12/11/2011 9:28:22 AM | Computer Name = ATYOURSOS | Source = Avira Antivirus | ID = 4109
Description =

Error - 12/11/2011 9:29:36 AM | Computer Name = ATYOURSOS | Source = Avira Antivirus | ID = 4109
Description =

Error - 12/11/2011 9:30:17 AM | Computer Name = ATYOURSOS | Source = Avira Antivirus | ID = 4109
Description =

Error - 12/11/2011 9:38:06 AM | Computer Name = ATYOURSOS | Source = Avira Antivirus | ID = 4109
Description =

Error - 12/11/2011 9:48:11 AM | Computer Name = ATYOURSOS | Source = Avira Antivirus | ID = 4109
Description =

Error - 12/11/2011 11:02:52 AM | Computer Name = ATYOURSOS | Source = Avira Antivirus | ID = 4109
Description =

Error - 1/2/2012 3:49:43 PM | Computer Name = ATYOURSOS | Source = Application Error | ID = 1000
Description = Faulting application pev.exe, version 0.0.0.0, faulting module pev.exe,
version 0.0.0.0, fault address 0x0008d1c0.

[ System Events ]
Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 12/17/2011 4:44:57 PM | Computer Name = ATYOURSOS | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058


< End of report >

BC AdBot (Login to Remove)

 


#32 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 PM

Posted 04 January 2012 - 07:23 PM

I need you to stop posting logs which I am not asking for.

The OTL run seems to have deleted the files but I am aware that this is far from over.

Please rerun Combofix
Posted Image
m0le is a proud member of UNITE

#33 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 04 January 2012 - 08:49 PM

I am very sorry about that, I knew it was far from over & just thought those previous logs that had results might help. I won't do it again, I will rerun combofix. Thank you for your support & patience.

#34 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 06 January 2012 - 09:47 AM

ComboFix 12-01-05.04 - Owner 01/05/2012 23:55:45.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.80 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\comfix.exe
FW: Outpost Firewall Pro *Enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-03 03:15 . 2012-01-03 03:15 -------- d-----w- C:\_OTL
2011-12-25 17:13 . 2011-12-25 17:13 -------- d-----w- c:\program files\Microsoft Silverlight
2011-12-25 03:01 . 2011-11-12 17:18 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2011-12-25 03:00 . 2011-12-25 03:00 -------- d-----w- c:\program files\DIFX
2011-12-25 02:55 . 2011-12-25 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2011-12-25 02:55 . 2011-12-25 02:59 -------- d-----w- c:\program files\LeapFrog
2011-12-22 18:41 . 2011-12-22 18:43 -------- d-----w- c:\program files\QuickTime
2011-12-22 18:41 . 2011-12-22 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-12-22 18:38 . 2011-12-22 18:38 -------- d-----w- c:\program files\Common Files\Apple
2011-12-22 18:37 . 2011-12-22 18:37 -------- d-----w- c:\program files\Apple Software Update
2011-12-22 18:37 . 2011-12-22 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-12-17 21:03 . 2011-12-17 21:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-12-16 13:31 . 2011-12-16 13:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\cache
2011-12-16 13:25 . 2011-12-16 13:25 -------- d-----w- c:\program files\VTech
2011-12-16 13:25 . 2011-12-16 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\VTech
2011-12-13 17:30 . 2011-12-08 11:59 252991 ----a-w- c:\windows\system32\FHSetup.exe
2011-12-13 04:31 . 2010-03-08 10:10 9216 ----a-w- c:\windows\system32\ffnd.exe
2011-12-12 03:50 . 2011-12-12 03:50 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-12-12 03:48 . 2011-12-12 03:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-12 02:23 . 2011-12-12 02:23 -------- d-----w- c:\program files\ESET
2011-12-11 15:15 . 2011-12-13 01:08 -------- d-----w- c:\documents and settings\Owner\Application Data\FreeFixer
2011-12-11 15:15 . 2011-12-11 15:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FreeFixer
2011-12-11 15:15 . 2011-12-11 15:15 -------- d-----w- c:\program files\FreeFixer
2011-12-11 01:38 . 2011-12-11 01:38 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-11 01:36 . 2011-12-11 01:36 -------- d-----w- c:\documents and settings\Owner\Application Data\WinPatrol
2011-12-10 01:11 . 2011-12-10 01:11 -------- d-----w- C:\ComFix
2011-12-08 20:28 . 2011-12-08 20:28 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Secunia PSI
2011-12-08 20:27 . 2011-12-08 20:27 -------- d-----w- c:\program files\Secunia
2011-12-08 00:33 . 2001-08-17 18:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2011-12-08 00:33 . 2001-08-17 18:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2011-12-08 00:33 . 2001-08-17 18:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2011-12-08 00:33 . 2001-08-17 18:12 16074 -c--a-w- c:\windows\system32\dllcache\fa312nd5.sys
2011-12-08 00:33 . 2001-08-17 18:11 11850 -c--a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2011-12-08 00:33 . 2001-08-17 18:11 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2011-12-08 00:33 . 2001-08-17 19:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2011-12-08 00:33 . 2001-08-17 18:12 16998 -c--a-w- c:\windows\system32\dllcache\ex10.sys
2011-12-08 00:31 . 2001-08-17 18:12 18503 -c--a-w- c:\windows\system32\dllcache\epro4.sys
2011-12-08 00:30 . 2001-08-17 18:10 55999 -c--a-w- c:\windows\system32\dllcache\el556nd5.sys
2011-12-08 00:30 . 2001-08-17 18:10 44103 -c--a-w- c:\windows\system32\dllcache\el515.sys
2011-12-08 00:30 . 2001-08-17 18:12 19594 -c--a-w- c:\windows\system32\dllcache\e100isa4.sys
2011-12-08 00:30 . 2001-08-17 18:12 117760 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2011-12-08 00:30 . 2001-08-17 18:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2011-12-08 00:30 . 2001-08-17 18:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2011-12-08 00:30 . 2001-08-17 20:07 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys
2011-12-08 00:28 . 2001-08-17 18:14 21606 -c--a-w- c:\windows\system32\dllcache\digiisdn.sys
2011-12-08 00:27 . 2001-08-17 19:52 14720 -c--a-w- c:\windows\system32\dllcache\dac960nt.sys
2011-12-08 00:26 . 2001-08-17 18:19 42112 -c--a-w- c:\windows\system32\dllcache\crtaud.sys
2011-12-08 00:25 . 2001-08-17 20:02 272640 -c--a-w- c:\windows\system32\dllcache\cinemclc.sys
2011-12-08 00:25 . 2001-08-17 18:13 980034 -c--a-w- c:\windows\system32\dllcache\cicap.sys
2011-12-08 00:25 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2011-12-08 00:25 . 2001-08-17 18:13 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2011-12-08 00:25 . 2001-08-17 18:13 22044 -c--a-w- c:\windows\system32\dllcache\cem33n5.sys
2011-12-08 00:25 . 2001-08-17 18:13 22044 -c--a-w- c:\windows\system32\dllcache\cem28n5.sys
2011-12-08 00:25 . 2001-08-17 18:13 27164 -c--a-w- c:\windows\system32\dllcache\ce3n5.sys
2011-12-08 00:25 . 2001-08-17 18:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys
2011-12-08 00:25 . 2001-08-17 19:52 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2011-12-08 00:25 . 2008-04-13 19:46 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2011-12-08 00:24 . 2001-08-17 19:28 714698 -c--a-w- c:\windows\system32\dllcache\cbmdmkxx.sys
2011-12-08 00:24 . 2001-08-17 18:13 46108 -c--a-w- c:\windows\system32\dllcache\cben5.sys
2011-12-08 00:24 . 2001-08-17 18:12 39680 -c--a-w- c:\windows\system32\dllcache\cb325.sys
2011-12-08 00:24 . 2001-08-17 18:12 37916 -c--a-w- c:\windows\system32\dllcache\cb102.sys
2011-12-08 00:24 . 2001-08-18 04:36 32256 -c--a-w- c:\windows\system32\dllcache\diapi2NT.dll
2011-12-08 00:24 . 2001-08-17 18:13 164923 -c--a-w- c:\windows\system32\dllcache\diapi2.sys
2011-12-08 00:24 . 2008-04-14 01:11 121856 -c--a-w- c:\windows\system32\dllcache\camext30.dll
2011-12-08 00:23 . 2001-08-18 04:36 236032 -c--a-w- c:\windows\system32\dllcache\camext20.dll
2011-12-08 00:23 . 2001-08-18 04:36 74240 -c--a-w- c:\windows\system32\dllcache\camexo20.dll
2011-12-08 00:23 . 2001-08-17 20:04 171264 -c--a-w- c:\windows\system32\dllcache\camdrv30.sys
2011-12-08 00:23 . 2001-08-17 20:04 223232 -c--a-w- c:\windows\system32\dllcache\camdrv21.sys
2011-12-08 00:23 . 2001-08-17 20:05 314752 -c--a-w- c:\windows\system32\dllcache\camdro21.sys
2011-12-08 00:21 . 2001-08-17 19:28 871388 -c--a-w- c:\windows\system32\dllcache\bcmdm.sys
2011-12-08 00:20 . 2001-08-17 18:49 9472 -c--a-w- c:\windows\system32\dllcache\ativmdcd.sys
2011-12-08 00:19 . 2001-08-17 18:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2011-12-08 00:10 . 2001-08-17 20:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-12-08 00:10 . 2001-08-17 18:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-12-08 00:10 . 2004-08-04 04:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2011-12-08 00:10 . 2001-08-17 18:19 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2011-12-08 00:10 . 2001-08-17 18:19 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2011-12-08 00:10 . 2001-08-17 18:19 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2011-12-08 00:10 . 2001-08-17 18:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2011-12-08 00:10 . 2001-08-17 19:53 7424 -c--a-w- c:\windows\system32\dllcache\adicvls.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-04 03:37 . 2011-11-24 01:02 129536 ----a-w- c:\windows\system32\WFXSVC.EXE
2011-11-24 01:01 . 2005-12-01 05:46 41 -c--a-w- c:\windows\WFXDEL.BAT
2011-11-23 13:25 . 2004-08-12 14:09 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-16 20:26 . 2011-11-16 20:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54 . 2010-12-05 23:59 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-11-10 09:27 . 2011-11-16 19:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2004-08-12 14:09 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-12 13:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-12 13:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-12 13:57 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-12 14:02 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-12 13:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-08-12 14:02 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2005-11-30 17:03 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-22 21:17 . 2011-11-22 21:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-12 14:07 94784 -csha-w- c:\windows\twain.dll
2008-04-14 00:12 50688 -csha-w- c:\windows\twain_32.dll
2008-04-14 00:12 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 11776 -csha-w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 18:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgentMonitor]
2011-11-30 09:26 393640 ----a-w- c:\program files\VTech\DownloadManager\System\AgentMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 13:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2011-11-12 18:04 268640 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 20:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 19:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"FOVSMEK"=3 (0x3)
"Cleaner_Validator"=3 (0x3)
"a2AntiMalware"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [12/12/2011 8:24 AM 17904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
S3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [12/12/2011 8:24 AM 51632]
S3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [12/12/2011 8:24 AM 2996272]
S3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/24/2011 9:01 PM 18560]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/9/2011 11:27 AM 20352]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/9/2011 11:27 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [1/27/2011 3:13 PM 226624]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 2:30 AM 15544]
S3 RkPavproc1;RkPavproc1; [x]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 6:37 AM 26624]
S3 TfNetMon;TfNetMon; [x]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter;c:\windows\system32\drivers\USB100M.SYS [12/19/2005 4:35 AM 27519]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://encrypted.google.com/
mWindow Title =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: microsoft.com\windows
Trusted Zone: microsoft.com\www
TCP: Interfaces\{B70A2246-82AB-4804-A98E-20EC58CEF7EB}: NameServer = 192.168.11.1,64.233.207.8
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3inhmwru.default\
FF - prefs.js: browser.startup.homepage - hxxps://encrypted.google.com/
FF - prefs.js: keyword.URL - hxxps://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-06 00:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1547161642-2000478354-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1547161642-2000478354-725345543-1003)
@Allowed: (Read) (S-1-5-21-1547161642-2000478354-725345543-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\04\03\14\0e!\14?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1256)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-06 00:28:06
ComboFix-quarantined-files.txt 2012-01-06 06:27
ComboFix2.txt 2012-01-02 20:20
.
Pre-Run: 24,665,604,096 bytes free
Post-Run: 24,699,822,080 bytes free
.
- - End Of File - - A709BDCD31FCE91E1936D869C0844179

#35 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 PM

Posted 06 January 2012 - 07:19 PM

That looks good.

Please run the ESET online scan to do a mop up

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#36 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 07 January 2012 - 01:20 AM

ESET didn't actually "produce a log", but did delete & quarantine:

C:\Documents and Settings\Owner\Documents\Programs\System Tools\Hardware\Sandisk Cruzer\Backups\PortableAppsBackup-2010-11-08-Drive.zip a variant of Win32/SoftonicDownloader.A application deleted - quarantined

I left quarantined, until you can verify that this is not a false positive, as this is my only backup for flash drive. I'll delete it permanently, if needed. Please advise how to proceed.

Thanks!

#37 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 PM

Posted 07 January 2012 - 05:28 PM

I can't find any evidence of a false positive that ESET know about. The only way to check it would be to dequarantine and scan the files in the zip. That is not something I would normally want to do but it isn't the nastiest adware and we know where it is :)

So, you have the choice of checking the file or deleting it. Either option is okay with me.
Posted Image
m0le is a proud member of UNITE

#38 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 08 January 2012 - 03:12 AM

I guess I'll go ahead & delete. Safer that way. So if this is the back up copy of my flash drive, & it's infected, isn't it very likely that my flash is infected as well? I thought I was using the Panda USB Vaccine though, & had autorun disabled, etc.. Of course, since I am no longer using Panda products as of this past summer, I had been using the drive without the vaccine, but believed the vaccine to simply disable autorun, just as defogger, & that I still had to manually open the drive via windows as autorun was still disabled. At any rate, I guess it's hard to tell if it was simply the backup file on pc infected, or if my flash drive is infected as well? Please advise... any more steps I should take other than deleting that file from ESET's quarantine? (I'm sure this can't be all she wrote, lol ;+)~

#39 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 08 January 2012 - 11:44 AM

Ok, so I slept on this, & decided to restore file from ESET quarantine, & unzip & scan via ESET (cpl. reasons, firstly, to better isolate & know what culprit is so I can be sure once we're done w/cleaning of pc, I know what to eliminate/scan on flash drive to avoid further infection, & also mainly because curiosity was "killing this cat", lol) So I allowed ESET to quarantine & delete the infected MXONE downloader in the back up file, which was the culprit. I then also deleted the old compressed back up file to recycle bin, & re-compressed the clean back up folder & deleted the uncompressed clean folder to recycle bin. I then deleted a desktop icon for MXONE to recycle bin (the only other reference to this program other than what was in the backup file) & made executive decision (please don't scold me!) to let CCleaner clean temp file & recycle bin w/advanced overwrite (3 passes): nope, not paranoid! I have logs from ESET & CCleaner on these actions. I will not post these logs unless you asked, as I've already been warned! So, am now waiting to proceed to next steps....

If you happen to be celebrating your birthday this weekend, I hope you are having a magnificent time ;)

#40 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 PM

Posted 08 January 2012 - 07:24 PM

Technically, I should scold you for jumping ahead but it would have taken ages to walk you through the steps you performed and so that's okay with me this time :)

Thanks for the birthday wishes too, mate

Please post the ESET and CCleaner logs (CCleaner is okay as long as the registry cleaner isn't used)
Posted Image
m0le is a proud member of UNITE

#41 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 09 January 2012 - 10:58 AM

Here are the logs... I am absolutely NOT messing with registry... (or little else, for that matter) I may jump the gun a little for basic things, but am using mass doses of common sense @ this point~ When running CCleaner, I simply opted to clean Recycle Bin & Temp for these files... didn't mess with anything else~

You are welcome! (Birthday wishes)

Thanks for not scolding~ I am self taught, & jack of all, master of none when it comes to PC, but have been self employed for 12+ years & all my work is via pc, & being a "little guy", I've had to be my own IT dept./help desk, etc... so I really do know quite a bit. I also know there are certain things that are out of my grasp, understanding & capabilities, hence why I am here! I try to practice great doses of patience & common sense ;)

It looks like ESET appended the 2nd scan I did yesterday, to the original scan you had me preform the previous day (I found the scan log :) so it includes the results of full original scan, as well as the second scan I did yesterday to eradicate~

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0c308be10f15bc47bc877a283a012530
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-12 03:41:34
# local_time=2011-12-11 09:41:34
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 67883054 67883054 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=18291
# found=0
# cleaned=0
# scan_time=4366
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0c308be10f15bc47bc877a283a012530
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-07 06:01:00
# local_time=2012-01-07 12:01:00
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 70129964 70129964 0 0
# compatibility_mode=8192 67108863 100 0 1329246 1329246 0 0
# scanned=56665
# found=1
# cleaned=1
# scan_time=12229
C:\Documents and Settings\Owner\Documents\Programs\System Tools\Hardware\Sandisk Cruzer\Backups\PortableAppsBackup-2010-11-08-Drive.zip a variant of Win32/SoftonicDownloader.A application (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0c308be10f15bc47bc877a283a012530
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-08 03:13:43
# local_time=2012-01-08 09:13:43 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 70261087 70261087 0 0
# compatibility_mode=8192 67108863 100 0 1460369 1460369 0 0
# scanned=1487
# found=0
# cleaned=0
# scan_time=685
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0c308be10f15bc47bc877a283a012530
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-08 03:46:49
# local_time=2012-01-08 09:46:49 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 70262665 70262665 0 0
# compatibility_mode=8192 67108863 100 0 1461947 1461947 0 0
# scanned=737
# found=1
# cleaned=1
# scan_time=1061
C:\Documents and Settings\Owner\Documents\Programs\System Tools\Hardware\Sandisk Cruzer\Backups\PortableAppsBackup-2010-11-08-Drive\PortableApps\Installs\SoftonicDownloader_for_mx-one-antivirus.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


CLEANING COMPLETE - (1119.880 secs)
------------------------------------------------------------------------------------------
Secure file deletion enabled - Advanced Overwrite (3 passes)
------------------------------------------------------------------------------------------

Details of files deleted
------------------------------------------------------------------------------------------
System - Empty Recycle Bin 570136 KB 4 files
System - Temporary Files 65 KB 2 files
------------------------------------------------------------------------------------------
C:\Documents and Settings\Owner\Documents\Programs\System Tools\Hardware\Sandisk Cruzer\Backups\PortableAppsBackup-2010-11-08-Drive\PortableApps\Mx One 384 KB
C:\Documents and Settings\Owner\Desktop\mxone.exe 1,284 KB
C:\Documents and Settings\Owner\Documents\Programs\System Tools\Hardware\Sandisk Cruzer\Backups\PortableAppsBackup-2010-11-08-Drive.zip 272,360 KB
C:\Documents and Settings\Owner\Documents\Programs\System Tools\Hardware\Sandisk Cruzer\Backups\PortableAppsBackup-2010-11-08-Drive 296,108 KB
C:\Documents and Settings\Owner\Local Settings\temp\etilqs_J6J58Ac3gMRcREr 32 KB
C:\Documents and Settings\Owner\Local Settings\temp\etilqs_mXkJmXFaBue2jZa 33 KB

#42 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 PM

Posted 09 January 2012 - 08:19 PM

Okay, that all looks fine.

How is the machine behaving now?
Posted Image
m0le is a proud member of UNITE

#43 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 09 January 2012 - 10:36 PM

So far, so good. Seems like the erratic mouse issue is gone. Everything seems to be ok. I have security patches & updates for Windows that need to be downloaded & applied though, as of the past few days. Please advise if I can go ahead & update, been meaning to ask but keep forgetting! Also let me know what next steps should be~

Thank you!

#44 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:07:03 AM

Posted 09 January 2012 - 10:40 PM

Oh yes, & just curious about the "invalid integer" issue w/Winsock2 registry key in the OTL scan...

#45 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 PM

Posted 10 January 2012 - 05:36 PM

Oh yes, & just curious about the "invalid integer" issue w/Winsock2 registry key in the OTL scan...


That looks to be a bug in the program and nothing to worry about.

You can update now. Let me know if anything doesn't go to plan but return so we can clear up.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users