Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uniblue Registry Booster and Ping.exe Problems


  • This topic is locked This topic is locked
27 replies to this topic

#1 he's dead jim

he's dead jim

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 14 December 2011 - 08:26 AM

hi, how are ya?

i have run several programs including combofix, as i have been doing for years. this usually takes care of the problems but the complex nature of the newer viruses leaves too many bits and pieces behind. i got rid of the bulk of the problem, but ping.exe is still running.

i ran the following programs in the order listed and i have log files for all of them. please let me know which logs to post and i will put them up.

1. combofix
2. superantispy
3. malwarebytes
4. spybot
5. dds
6. gmer


thanks :)

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:25 AM

Posted 20 December 2011 - 01:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/432395 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 20 December 2011 - 09:38 PM

DDS LOG


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by Jesse at 11:22:47 on 2011-12-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1712 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: Interfaces\{325C7F7D-C247-4D0C-99A5-0389DB0D83D8} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jesse\application data\mozilla\firefox\profiles\8p1qdsja.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z134&install_date=20111128
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZLxdm24845US&ptb=2955ECAC-08B8-4E12-AC0E-DB739D88FA75&psa=&ind=2010110220&ptnrS=ZLxdm24845US&si=v2gua182401&st=kwd&n=77cfd90c&searchfor=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\8p1qdsja.default\extensions\{000f1ea4-5e08-4564-a29b-29076f63a37a}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\8p1qdsja.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\documents and settings\jesse\application data\mozilla\firefox\profiles\8p1qdsja.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\virtools\3d life player\npqtplugin.dll
FF - plugin: c:\program files\virtools\3d life player\npqtplugin2.dll
FF - plugin: c:\program files\virtools\3d life player\npqtplugin3.dll
FF - plugin: c:\program files\virtools\3d life player\npqtplugin4.dll
FF - plugin: c:\program files\virtools\3d life player\npqtplugin5.dll
FF - plugin: c:\program files\virtools\3d life player\npqtplugin6.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2008-5-12 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2008-5-12 52736]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2008-5-12 601600]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva189;XDva189;\??\c:\windows\system32\xdva189.sys --> c:\windows\system32\XDva189.sys [?]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-7-28 719392]
S4 iWonService;iWon Toolbar Service;c:\progra~1\iwon\bar\2.bin\jfbarsvc.exe --> c:\progra~1\iwon\bar\2.bin\jfbarsvc.exe [?]
S4 NProtectService;Norton Unerase Protection;c:\program files\norton utilities\NPROTECT.EXE [2008-5-13 135168]
.
=============== Created Last 30 ================
.
2011-12-21 13:57:57 -------- d-----w- c:\windows\Internet Logs
2011-12-13 14:28:34 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-12-13 14:28:34 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-13 14:12:24 -------- d-sha-r- C:\cmdcons
2011-12-13 14:08:32 98816 ----a-w- c:\windows\sed.exe
2011-12-13 14:08:32 518144 ----a-w- c:\windows\SWREG.exe
2011-12-13 14:08:32 256000 ----a-w- c:\windows\PEV.exe
2011-12-13 14:08:32 208896 ----a-w- c:\windows\MBR.exe
2011-12-13 13:59:35 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-13 13:59:35 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-13 13:59:34 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-13 13:59:34 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-13 13:59:34 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-13 13:59:34 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-13 13:59:33 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-13 13:59:33 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-13 13:31:39 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-12-07 22:12:32 -------- d-----w- c:\documents and settings\all users\application data\pG28300KoFlJ28300
2011-12-06 21:15:43 -------- d-----w- c:\documents and settings\jesse\local settings\application data\SanctionedMedia
2011-12-02 01:36:14 -------- d-----w- C:\school
2011-11-30 02:28:09 -------- d-----w- c:\documents and settings\jesse\local settings\application data\Activision
2011-11-29 02:06:38 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2011-11-29 02:06:38 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2011-11-29 02:06:37 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2011-11-29 02:06:37 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2011-11-29 02:06:36 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2011-11-29 02:06:36 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2011-11-28 23:27:33 18944 ----a-r- c:\documents and settings\jesse\application data\microsoft\installer\{297dcada-86a1-4a42-8a13-66b7d7a09fd2}\IconBB6A16301.exe
2011-11-28 23:26:46 -------- d-----w- c:\documents and settings\jesse\local settings\application data\uTorrentBar
2011-11-28 23:26:42 -------- d-----w- c:\program files\uTorrentBar
2011-11-28 23:26:35 -------- d-----w- c:\program files\uTorrent
2011-11-28 23:25:51 -------- d-----w- c:\documents and settings\jesse\local settings\application data\uTorrent
2011-11-28 23:25:51 -------- d-----w- c:\documents and settings\jesse\application data\uTorrent
2011-11-28 23:25:45 -------- d-----w- c:\documents and settings\all users\application data\Premium
2011-11-28 23:25:39 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2011-11-27 02:49:36 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2011-11-27 02:49:28 -------- d-----w- c:\program files\common files\BioWare
.
==================== Find3M ====================
.
2011-11-21 21:26:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-06-13 14:36:43 47616 ----a-w- c:\program files\cports.exe
2008-05-13 05:10:38 401720 ----a-w- c:\program files\HiJackThis.exe
2006-07-12 16:59:22 3278400 ----a-w- c:\program files\procexp.exe
2006-03-20 20:37:00 5689344 ----a-w- c:\program files\Free - Media Player Classic Version 6.4.9.0.exe
.
============= FINISH: 11:23:55.15 ===============




GMER LOG



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-21 15:18:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c ST380215A rev.3.AAD
Running: xowstv9b.exe; Driver: C:\DOCUME~1\Jesse\LOCALS~1\Temp\kftdypod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys F74A0852 1 Byte [CC] {INT 3 }
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB65BA380, 0x566445, 0xE8000020]
? C:\DOCUME~1\Jesse\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Threads - GMER 1.0.15 ----

Thread System [4:128] 8A591161
Thread System [4:132] 8A514C30

---- EOF - GMER 1.0.15 ----

Edited by he's dead jim, 21 December 2011 - 05:17 PM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 AM

Posted 22 December 2011 - 05:56 AM

Hi

can you please also provide the log from when you ran COmboFix? You should find it in C:\combofix.txt

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 22 December 2011 - 12:54 PM

Sure, no prob. thanks for the reply. :)



ComboFix 11-12-12.02 - Jesse 12/13/2011 10:39:57.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1702 [GMT -5:00]
Running from: c:\documents and settings\Jesse\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\8p1qdsja.default\searchplugins\bing-zugo.xml
c:\documents and settings\Jesse\Application Data\PriceGong
c:\documents and settings\Jesse\g2mdlhlpx.exe
c:\documents and settings\Jesse\Start Menu\Programs\1964.lnk
c:\documents and settings\Jesse\WINDOWS
c:\windows\$NtUninstallKB12771$
c:\windows\$NtUninstallKB12771$\1802132105\@
c:\windows\$NtUninstallKB12771$\1802132105\bckfg.tmp
c:\windows\$NtUninstallKB12771$\1802132105\cfg.ini
c:\windows\$NtUninstallKB12771$\1802132105\Desktop.ini
c:\windows\$NtUninstallKB12771$\1802132105\keywords
c:\windows\$NtUninstallKB12771$\1802132105\kwrd.dll
c:\windows\$NtUninstallKB12771$\1802132105\L\rmwiuwoo
c:\windows\$NtUninstallKB12771$\1802132105\lsflt7.ver
c:\windows\$NtUninstallKB12771$\1802132105\U\00000001.@
c:\windows\$NtUninstallKB12771$\1802132105\U\00000002.@
c:\windows\$NtUninstallKB12771$\1802132105\U\00000004.@
c:\windows\$NtUninstallKB12771$\1802132105\U\80000000.@
c:\windows\$NtUninstallKB12771$\1802132105\U\80000004.@
c:\windows\$NtUninstallKB12771$\1802132105\U\80000032.@
c:\windows\$NtUninstallKB12771$\4165130353
c:\windows\CSC\d6
c:\windows\EventSystem.log
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\temp1.exe
c:\windows\system32\temp2.exe
c:\windows\system32\wpcap.dll
c:\windows\Temp\_ex-68.exe
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-13 to 2011-12-13 )))))))))))))))))))))))))))))))
.
.
2011-12-13 14:28 . 2008-04-14 04:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-12-13 14:28 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-13 13:59 . 2011-12-13 13:59 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-13 13:59 . 2011-12-13 13:59 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-13 13:59 . 2011-12-13 13:59 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-13 13:59 . 2011-12-13 13:59 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-13 13:59 . 2011-12-13 13:59 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-13 13:59 . 2011-12-13 13:59 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-13 13:59 . 2011-12-13 13:59 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-13 13:59 . 2011-12-13 13:59 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-13 13:31 . 2011-12-13 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-12-08 13:55 . 2011-12-08 13:55 32256 ----a-w- c:\windows\system32\JktfEL3m2.com
2011-12-07 22:12 . 2011-12-13 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\pG28300KoFlJ28300
2011-12-07 19:02 . 2011-12-07 19:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-06 21:15 . 2011-12-06 21:15 -------- d-----w- c:\documents and settings\Jesse\Local Settings\Application Data\SanctionedMedia
2011-12-02 01:36 . 2011-12-02 01:52 -------- d-----w- C:\school
2011-11-30 02:28 . 2011-11-30 02:28 -------- d-----w- c:\documents and settings\Jesse\Local Settings\Application Data\Activision
2011-11-29 02:06 . 2008-05-30 19:19 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2011-11-29 02:06 . 2008-05-30 19:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2011-11-29 02:06 . 2008-05-30 19:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2011-11-29 02:06 . 2008-05-30 19:17 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2011-11-29 02:06 . 2008-05-30 19:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2011-11-29 02:06 . 2008-05-30 19:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2011-11-28 23:27 . 2011-11-28 23:27 18944 ----a-r- c:\documents and settings\Jesse\Application Data\Microsoft\Installer\{297DCADA-86A1-4A42-8A13-66B7D7A09FD2}\IconBB6A16301.exe
2011-11-28 23:26 . 2011-11-28 23:26 -------- d-----w- c:\program files\uTorrent
2011-11-28 23:25 . 2011-12-13 13:47 -------- d-----w- c:\documents and settings\Jesse\Application Data\uTorrent
2011-11-28 23:25 . 2011-11-28 23:25 -------- d-----w- c:\documents and settings\Jesse\Local Settings\Application Data\uTorrent
2011-11-28 23:25 . 2011-11-28 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Premium
2011-11-28 23:25 . 2011-11-28 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-11-27 02:49 . 2008-05-30 19:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2011-11-27 02:49 . 2011-11-27 02:49 -------- d-----w- c:\program files\Common Files\BioWare
2011-11-27 02:49 . 2011-11-27 02:49 -------- d-----w- c:\program files\Electronic Arts
2011-11-17 00:14 . 2011-11-22 01:50 -------- d-----w- c:\documents and settings\Jesse\Application Data\.minecraft
2011-11-15 21:37 . 2011-11-15 21:37 -------- d-----w- c:\program files\iPod
2011-11-15 21:37 . 2011-11-15 21:37 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 21:26 . 2011-05-17 21:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-06-13 14:36 . 2009-04-15 15:00 47616 ----a-w- c:\program files\cports.exe
2008-05-13 05:10 . 2008-05-13 05:10 401720 ----a-w- c:\program files\HiJackThis.exe
2006-07-12 16:59 . 2008-05-13 18:43 3278400 ----a-w- c:\program files\procexp.exe
2006-03-20 20:37 . 2008-05-13 18:44 5689344 ----a-w- c:\program files\Free - Media Player Classic Version 6.4.9.0.exe
2011-12-13 13:59 . 2011-12-13 13:59 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57574:TCP"= 57574:TCP:Pando Media Booster
"57574:UDP"= 57574:UDP:Pando Media Booster
"57089:TCP"= 57089:TCP:Pando Media Booster
"57089:UDP"= 57089:UDP:Pando Media Booster
"57819:TCP"= 57819:TCP:Pando Media Booster
"57819:UDP"= 57819:UDP:Pando Media Booster
.
R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [5/12/2008 11:28 PM 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [5/12/2008 11:28 PM 52736]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 1:34 PM 1361288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [7/28/2009 5:45 AM 719392]
S4 iWonService;iWon Toolbar Service;c:\progra~1\iWon\bar\2.bin\jfbarsvc.exe --> c:\progra~1\iWon\bar\2.bin\jfbarsvc.exe [?]
S4 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [5/13/2008 2:50 PM 135168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\8p1qdsja.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z134&install_date=20111128
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZLxdm24845US&ptb=2955ECAC-08B8-4E12-AC0E-DB739D88FA75&psa=&ind=2010110220&ptnrS=ZLxdm24845US&si=v2gua182401&st=kwd&n=77cfd90c&searchfor=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{12A9DB21-42A2-492D-A85C-CDDE0C88B608} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-13 11:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-13 12:35:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-13 17:35
.
Pre-Run: 13,691,461,632 bytes free
Post-Run: 16,821,092,352 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 265C10BF21D2A130E15D48A2B3B78866

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 AM

Posted 22 December 2011 - 02:42 PM

Hi,

ok. Could you please download a fresh Copy of ComboFix and let me know what it finds.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 22 December 2011 - 03:33 PM

sure, here you go..



ComboFix 11-12-22.04 - Jesse 12/22/2011 14:59:34.4.2 - x86
Running from: c:\documents and settings\Jesse\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
c:\windows\system32\SET20.tmp
c:\windows\system32\SET21.tmp
c:\windows\system32\SET22.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-11-22 to 2011-12-22 )))))))))))))))))))))))))))))))
.
.
2011-12-21 13:57 . 2011-12-21 13:57 -------- d-----w- c:\windows\Internet Logs
2011-12-13 14:28 . 2008-04-14 04:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-12-13 14:28 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-13 13:59 . 2011-12-13 13:59 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-13 13:59 . 2011-12-13 13:59 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-13 13:59 . 2011-12-13 13:59 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-13 13:59 . 2011-12-13 13:59 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-13 13:59 . 2011-12-13 13:59 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-13 13:59 . 2011-12-13 13:59 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-13 13:59 . 2011-12-13 13:59 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-13 13:59 . 2011-12-13 13:59 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-13 13:31 . 2011-12-13 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-12-07 22:12 . 2011-12-13 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\pG28300KoFlJ28300
2011-12-07 19:02 . 2011-12-07 19:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-06 21:15 . 2011-12-06 21:15 -------- d-----w- c:\documents and settings\Jesse\Local Settings\Application Data\SanctionedMedia
2011-12-02 01:36 . 2011-12-02 01:52 -------- d-----w- C:\school
2011-11-30 02:28 . 2011-11-30 02:28 -------- d-----w- c:\documents and settings\Jesse\Local Settings\Application Data\Activision
2011-11-29 02:06 . 2008-05-30 19:19 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2011-11-29 02:06 . 2008-05-30 19:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2011-11-29 02:06 . 2008-05-30 19:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2011-11-29 02:06 . 2008-05-30 19:17 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2011-11-29 02:06 . 2008-05-30 19:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2011-11-29 02:06 . 2008-05-30 19:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2011-11-28 23:27 . 2011-11-28 23:27 18944 ----a-r- c:\documents and settings\Jesse\Application Data\Microsoft\Installer\{297DCADA-86A1-4A42-8A13-66B7D7A09FD2}\IconBB6A16301.exe
2011-11-28 23:26 . 2011-11-28 23:26 -------- d-----w- c:\program files\uTorrent
2011-11-28 23:25 . 2011-12-13 13:47 -------- d-----w- c:\documents and settings\Jesse\Application Data\uTorrent
2011-11-28 23:25 . 2011-11-28 23:25 -------- d-----w- c:\documents and settings\Jesse\Local Settings\Application Data\uTorrent
2011-11-28 23:25 . 2011-11-28 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Premium
2011-11-28 23:25 . 2011-11-28 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-11-27 02:49 . 2008-05-30 19:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2011-11-27 02:49 . 2011-11-27 02:49 -------- d-----w- c:\program files\Common Files\BioWare
2011-11-27 02:49 . 2011-11-27 02:49 -------- d-----w- c:\program files\Electronic Arts
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 21:26 . 2011-05-17 21:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-06-13 14:36 . 2009-04-15 15:00 47616 ----a-w- c:\program files\cports.exe
2008-05-13 05:10 . 2008-05-13 05:10 401720 ----a-w- c:\program files\HiJackThis.exe
2006-07-12 16:59 . 2008-05-13 18:43 3278400 ----a-w- c:\program files\procexp.exe
2006-03-20 20:37 . 2008-05-13 18:44 5689344 ----a-w- c:\program files\Free - Media Player Classic Version 6.4.9.0.exe
2011-12-13 13:59 . 2011-12-13 13:59 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-13_16.45.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2011-12-13 16:50 79074 c:\windows\system32\perfc009.dat
+ 2009-03-28 07:34 . 2011-08-31 22:00 22216 c:\windows\system32\drivers\mbam.sys
+ 2004-08-04 12:00 . 2011-12-13 16:50 481000 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57574:TCP"= 57574:TCP:Pando Media Booster
"57574:UDP"= 57574:UDP:Pando Media Booster
"57089:TCP"= 57089:TCP:Pando Media Booster
"57089:UDP"= 57089:UDP:Pando Media Booster
"57819:TCP"= 57819:TCP:Pando Media Booster
"57819:UDP"= 57819:UDP:Pando Media Booster
.
R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [5/12/2008 11:28 PM 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [5/12/2008 11:28 PM 52736]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 1:34 PM 1361288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [7/28/2009 5:45 AM 719392]
S4 iWonService;iWon Toolbar Service;c:\progra~1\iWon\bar\2.bin\jfbarsvc.exe --> c:\progra~1\iWon\bar\2.bin\jfbarsvc.exe [?]
S4 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [5/13/2008 2:50 PM 135168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\8p1qdsja.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z134&install_date=20111128
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZLxdm24845US&ptb=2955ECAC-08B8-4E12-AC0E-DB739D88FA75&psa=&ind=2010110220&ptnrS=ZLxdm24845US&si=v2gua182401&st=kwd&n=77cfd90c&searchfor=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-22 15:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-12-22 15:17:25
ComboFix-quarantined-files.txt 2011-12-22 20:17
.
Pre-Run: 16,729,522,176 bytes free
Post-Run: 16,723,509,248 bytes free
.
- - End Of File - - 43510E2E6DF5FF385C615686C2613D6A

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 AM

Posted 22 December 2011 - 04:44 PM

How is the PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 22 December 2011 - 05:02 PM

looks ok, but i want to make sure to take out as many tiny leftovers as possible. i have had these things seemingly grow back a week after cleaning.

#10 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 23 December 2011 - 06:30 PM

another update.

the computer was still running slow. it took a little over 6 hours to run malwarebytes and the drive is only 80gb

the taskmanager showed that the computer was 98% idle with only 2% being devoted to malwarebytes.

i also checked the services and found something called wdcsvc running and disabled it as this site recommended.

while waiting for your reply, i am running malwarebytes again to see if the time has improved.

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 AM

Posted 24 December 2011 - 06:56 AM

Hi,

can you check the spelling, was it really called wdcsvc? Please also run a new gmer log and post it in your next reply.

Did Malwarebytes find anything despite needing 6h to run?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 December 2011 - 01:22 PM

malwarebytes, superantispy, and spybot came up clean.

also, you are correct on my spelling mistake, lol. it was wscsvc.sys

i installed avg and it found a couple of things and cleaned them out. unfortunately, it did not keep a log for some reason but i had to reboot to get rid of whatever it was. it was something to do with a hidden and corrupt version of atapi.sys.


i have to run the gmer on monday and post the log. i have 30 people coming over for christmas dinner and i have to start cooking.

thanks for all your help so far and have a great holiday.

:)

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 AM

Posted 25 December 2011 - 08:39 AM

W00t, have fun with the christmas dinner then! :) We're only getting 10 people together, and they will have to help with the cooking too. (Or rather they wouldn't have it any other way than to help with the cooking. :lol:)

Take your time and enjoy the christmas days, it's all over way to quickly anyways.

Could you rerun AVG for me and see if it detects atapi.sys again? I'd be interest in the exact message.

wscsvc is the service for the windows security center and should be legit.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 26 December 2011 - 03:50 PM

whew.. lots of great food and company :)

i ran avg again and this is what i got:

1. full system scan:

"";"C:\Documents and Settings\Jesse\Application Data\Sony Online Entertainment\npsoeact.dll";"The file is signed with a broken digital signature, issued by: Sony Online Entertainment.";""

this was just a message because there was no prompt to remove it and the necessary buttons were greyed out.


------------------------------------------------------------------------------------------------------------------

2. rootkit scan:

"";"<unknown>";"Corrupted section atapi.sys[.text] +0x6852, size 1 bytes";"Object is hidden"


when i went to remove it, this message came up:


object is hidden by a rootkit technique (which is usually used by a malicious software) do you really want to remove it?


i clicked yes and it had to reboot to remove it. but that's what it did last time and it was still there.

------------------------------------------------------------------------------------------------------------------

i am still running gmer and it has picked up the atapi.sys, but it is taking a real long time to run. almost 2 hours so far. i set it up the same way as the tutorial page showed, but it is still taking long. when i first ran it last week it only took a minute or 2.

#15 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 26 December 2011 - 05:30 PM

here ya go. :)




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-26 17:23:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c ST380215A rev.3.AAD
Running: jg9d5j8m.exe; Driver: C:\DOCUME~1\Jesse\LOCALS~1\Temp\kftdypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAEA0CF3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAEA0CFE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAEA0D080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAEA0D11C]

---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys F74A0852 1 Byte [CC] {INT 3 }
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6422380, 0x566445, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Threads - GMER 1.0.15 ----

Thread System [4:128] 8A530161
Thread System [4:132] 8A518C30

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users