Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit ZeroAcess (M++) in TCP/IP stacks


  • This topic is locked This topic is locked
18 replies to this topic

#1 KatherineQC

KatherineQC

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 25 January 2012 - 07:28 PM

Elsewhere I received advise to run stuff and am now stuck without further help, so I am here (where I downloaded the combofix I was told to use).
SO... I had already run RogueKiller and tdsskiller and was then told to run combofix, and now I have no clue except I was pretty sure the problem was definitely not gone since my Comodo Pro is still not working. I am able to access the internet, so that at least helps some.
I did turn on windows firewall (XP).
I do already have a combofix log, and while it was running it said it was in the TCP/IP stacks.
Please let me know where you would like to start and I won't do anything else until I hear back on this post.
Merci beaucoup.
Freezing, frustrated & fast falling behind in school,
Katherine at Quebec

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by USER at 18:19:35 on 2012-01-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.57 [GMT -5:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall Pro *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://keepvid.com/
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [IE Privacy Keeper] "c:\program files\unh solutions\ie privacy keeper\IEPrivacyKeeper.exe" -startup
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\comodo~1.lnk - c:\program files\comodo\firewall\cpf.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179288406531
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179288389250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15112/CTPID.cab
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{CE34F9FE-C031-43FC-81FA-E21FE4919C22} : DhcpNameServer = 192.168.15.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\h9vtuv81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-1-25 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2012-1-25 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2012-1-25 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2012-1-25 233136]
R2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2007-5-15 76528]
R2 CmdAgent;Comodo Application Agent;c:\program files\comodo\firewall\cmdagent.exe [2007-5-15 361040]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2012-1-25 365280]
S2 hpdj00;hpdj00;c:\docume~1\user\locals~1\temp\hpdj00.exe -servicerunning=true -uninstall=hp officejet 7200 series -product=aio --> c:\docume~1\user\locals~1\temp\hpdj00.exe -servicerunning=true -uninstall=HP Officejet 7200 series -product=aio [?]
S2 hpdj01;hpdj01;c:\docume~1\user\locals~1\temp\hpdj01.exe -servicerunning=true -uninstall=hp officejet 4200 series -product=aio --> c:\docume~1\user\locals~1\temp\hpdj01.exe -servicerunning=true -uninstall=hp officejet 4200 series -product=aio [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2012-1-25 70408]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\ptdmbus.sys --> c:\windows\system32\drivers\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\ptdmmdm.sys --> c:\windows\system32\drivers\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\ptdmvsp.sys --> c:\windows\system32\drivers\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\ptdmwwan.sys --> c:\windows\system32\drivers\PTDMWWAN.sys [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2012-1-25 1141712]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2012-1-25 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
.
=============== File Associations ===============
.
txtfile=c:\windows\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-01-25 23:19:55 811 ----a-w- c:\documents and settings\all users\application data\koznaaa.tmp
2012-01-25 23:19:50 857 ----a-w- c:\documents and settings\all users\application data\joznaaa.tmp
2012-01-25 23:19:45 870 ----a-w- c:\documents and settings\all users\application data\ioznaaa.tmp
2012-01-25 21:49:33 803 ----a-w- c:\documents and settings\all users\application data\hdhoaaa.tmp
2012-01-25 21:49:31 832 ----a-w- c:\documents and settings\all users\application data\jdhoaaa.tmp
2012-01-25 21:49:29 839 ----a-w- c:\documents and settings\all users\application data\gdhoaaa.tmp
2012-01-25 21:49:29 803 ----a-w- c:\documents and settings\all users\application data\idhoaaa.tmp
2012-01-25 20:49:23 -------- d-sha-r- C:\cmdcons
2012-01-25 20:45:12 98816 ----a-w- c:\windows\sed.exe
2012-01-25 20:45:12 518144 ----a-w- c:\windows\SWREG.exe
2012-01-25 20:45:12 256000 ----a-w- c:\windows\PEV.exe
2012-01-25 20:45:12 208896 ----a-w- c:\windows\MBR.exe
2012-01-25 20:19:35 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2012-01-25 20:19:35 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2012-01-25 20:19:34 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2012-01-25 20:11:47 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-01-25 20:11:36 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-01-25 20:11:36 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-01-25 20:11:17 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-01-25 20:11:06 -------- d-----w- c:\program files\common files\PC Tools
2012-01-25 20:11:05 -------- d-----w- c:\program files\Spyware Doctor
2012-01-25 20:11:05 -------- d-----w- c:\documents and settings\user\application data\PC Tools
2012-01-25 20:11:05 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-01-25 20:09:18 -------- d-----w- c:\documents and settings\user\application data\GetRightToGo
2012-01-25 14:38:07 -------- d-----w- c:\program files\ESET
2012-01-25 00:25:33 -------- d-----w- c:\program files\Microsoft ActiveSync
2012-01-11 21:03:37 -------- d-----w- c:\documents and settings\user\local settings\application data\Help
2012-01-08 19:10:31 -------- d-----w- c:\documents and settings\user\local settings\application data\Alexander_Nikiforov
2012-01-08 19:10:31 -------- d-----w- c:\documents and settings\user\application data\MP3SkypeRecorder
2012-01-08 19:09:49 -------- d-----w- c:\program files\MP3 Skype Recorder
2012-01-07 17:17:29 574264 ----a-w- c:\program files\mozilla firefox\plugins\webex\1224\atgpcext.dll
2012-01-07 17:17:28 113976 ----a-w- c:\program files\mozilla firefox\plugins\webex\1224\atgpcdec.dll
2012-01-03 13:22:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:22:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-01-01 17:45:46 244736 ----a-w- c:\program files\mozilla firefox\plugins\webex\500\webexstm\StreamingMedia.dll
2012-01-01 02:09:32 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-01 02:09:32 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-01 02:09:32 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-01 02:09:32 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
2012-01-25 23:20:05 816 ----a-w- c:\documents and settings\all users\application data\moznaaa.tmp
2012-01-25 23:20:00 863 ----a-w- c:\documents and settings\all users\application data\loznaaa.tmp
2012-01-25 14:31:35 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-08 13:50:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 18:20:48.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:01 AM

Posted 26 January 2012 - 08:50 PM

Hi

would you post all the logs you have for me in your next post thanks (TDSSKiller, ComboFix - as many as you have)

also please run the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 KatherineQC

KatherineQC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 January 2012 - 09:45 AM

Thank you. :)

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-27 08:50:53
-----------------------------
08:50:53.593 OS Version: Windows 5.1.2600 Service Pack 3
08:50:53.593 Number of processors: 2 586 0x6B01
08:50:53.593 ComputerName: OFFLINE UserName: USER
08:51:43.312 Initialize success
08:56:30.437 AVAST engine defs: 12012700
09:11:07.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:11:07.109 Disk 0 Vendor: WDC_WD800JD-75MSA3 10.01E04 Size: 76293MB BusType: 3
09:11:07.140 Disk 0 MBR read successfully
09:11:07.140 Disk 0 MBR scan
09:11:09.781 Disk 0 Windows XP default MBR code
09:11:09.796 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 63
09:11:12.046 Disk 0 scanning sectors +156232125
09:11:13.265 Disk 0 scanning C:\WINDOWS\system32\drivers
09:12:04.968 Service scanning
09:12:10.609 Modules scanning
09:12:22.468 Disk 0 trace - called modules:
09:12:22.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:12:22.484 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a75030]
09:12:22.656 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> [0x84a64648]
09:12:22.656 5 PCTCore.sys[f728d88f] -> nt!IofCallDriver -> \Device\00000066[0x84b36f18]
09:12:22.656 7 ACPI.sys[f733e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84b91d98]
09:12:23.796 AVAST engine scan C:\WINDOWS
09:12:26.312 File: C:\WINDOWS\explorer.exe **INFECTED** Win32:Patched-AET [Trj]
09:12:52.468 AVAST engine scan C:\WINDOWS\system32
09:15:31.906 File: C:\WINDOWS\system32\svchost.exe **INFECTED** Win32:Patched-AET [Trj]
09:15:48.984 File: C:\WINDOWS\system32\winlogon.exe **INFECTED** Win32:Patched-AET [Trj]
09:16:48.921 AVAST engine scan C:\WINDOWS\system32\drivers
09:17:05.093 AVAST engine scan C:\Documents and Settings\USER
09:19:31.468 File: C:\Documents and Settings\USER\Application Data\Sun\Java\Deployment\cache\6.0\47\5709cb6f-12836f10 **INFECTED** Win32:Alureon-APS [Trj]
09:26:56.156 AVAST engine scan C:\Documents and Settings\All Users
09:27:43.890 Scan finished successfully
09:38:00.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\USER\Desktop\MBR.dat"
09:38:00.468 The log file has been saved successfully to "C:\Documents and Settings\USER\Desktop\aswMBR.txt"

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:01 AM

Posted 27 January 2012 - 11:20 AM

Hi

Please re-run ComboFix > allow it to update if it asks to do so > post the resulting log

(remember to disable your security programs)

please post the resulting log

NEXT


Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewallsfc
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 KatherineQC

KatherineQC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 January 2012 - 12:10 PM

ComboFix 12-01-27.01 - USER 01/27/2012 12:04:07.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.89 [GMT -5:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall Pro *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\gdhoaaa.tmp
c:\documents and settings\All Users\Application Data\hdhoaaa.tmp
c:\documents and settings\All Users\Application Data\idhoaaa.tmp
c:\documents and settings\All Users\Application Data\jdhoaaa.tmp
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-27 17:22 . 2012-01-27 17:22 1409 ----a-w- c:\windows\QTFont.for
2012-01-25 20:11 . 2012-01-25 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-01-25 20:11 . 2012-01-25 20:11 -------- d-----w- c:\documents and settings\USER\Application Data\PC Tools
2012-01-25 20:09 . 2012-01-25 20:10 -------- d-----w- c:\documents and settings\USER\Application Data\GetRightToGo
2012-01-25 16:03 . 2012-01-25 16:03 51328 ----a-w- c:\windows\system32\drivers\inspect.sys
2012-01-25 16:03 . 2012-01-25 16:03 75520 ----a-w- c:\windows\system32\drivers\cmdmon.sys
2012-01-25 14:38 . 2012-01-25 14:38 -------- d-----w- c:\program files\ESET
2012-01-25 00:25 . 2012-01-25 00:25 -------- d-----w- c:\program files\Microsoft ActiveSync
2012-01-24 20:46 . 2012-01-24 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2012-01-11 21:03 . 2012-01-11 21:03 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Help
2012-01-08 19:10 . 2012-01-08 19:10 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Alexander_Nikiforov
2012-01-08 19:10 . 2012-01-08 19:10 -------- d-----w- c:\documents and settings\USER\Application Data\MP3SkypeRecorder
2012-01-08 19:09 . 2012-01-08 19:10 -------- d-----w- c:\program files\MP3 Skype Recorder
2012-01-07 17:17 . 2012-01-07 17:17 574264 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\1224\atgpcext.dll
2012-01-07 17:17 . 2012-01-07 17:17 113976 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\1224\atgpcdec.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-01 17:45 . 2012-01-01 17:45 244736 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\500\WebexStm\StreamingMedia.dll
2012-01-01 02:09 . 2012-01-01 02:09 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-01 02:09 . 2012-01-01 02:09 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-01 02:09 . 2012-01-01 02:09 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-01 02:09 . 2012-01-01 02:09 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 14:31 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-08 13:50 . 2011-12-16 17:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 10:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 10:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 10:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-04 10:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-04 10:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2012-01-01 17:45 . 2012-01-01 17:45 302904 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-01-01 02:09 . 2011-12-18 02:36 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 1BFF879A92D2C4CB6605EEF54DDA3438 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . AF42C56D9426626107DB30A50EB923C8 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 . A435B2C1EEAE3953D633730FD5E27C30 . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-01-25_21.56.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-27 13:27 . 2012-01-27 13:27 16384 c:\windows\Temp\Perflib_Perfdata_72c.dat
+ 2012-01-27 17:20 . 2012-01-27 17:20 16384 c:\windows\Temp\Perflib_Perfdata_170.dat
+ 2012-01-25 22:53 . 2012-01-27 17:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-05-16 01:04 . 2012-01-25 21:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-05-16 01:04 . 2012-01-27 17:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-05-16 01:04 . 2012-01-25 21:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-01-25 22:53 . 2012-01-27 17:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-05-16 01:04 . 2012-01-25 21:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
COMODO Firewall Pro.lnk - c:\program files\Comodo\Firewall\cpf.exe [2007-5-15 1115728]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 22:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BOC-423]
2007-04-20 07:28 343280 ----a-w- c:\progra~1\Comodo\CBOClean\BOC423.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
2007-05-16 01:43 1115728 ----a-w- c:\program files\Comodo\Firewall\cpf.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-04-03 22:29 165784 ----a-w- c:\program files\DAEMON Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-23 15:12 7630848 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-23 15:12 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-23 15:12 1617920 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-27 18:19 282624 ----a-w- c:\windows\stsystra.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BinaryMark\\Streaming Video Downloader\\VDownloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/25/2012 3:11 PM 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [1/25/2012 3:19 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [1/25/2012 3:19 PM 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/25/2012 3:11 PM 233136]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [5/15/2007 10:39 PM 76528]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/25/2012 3:11 PM 365280]
S2 hpdj00;hpdj00;c:\docume~1\USER\LOCALS~1\Temp\hpdj00.exe -servicerunning=true -uninstall=HP Officejet 7200 series -product=aio --> c:\docume~1\USER\LOCALS~1\Temp\hpdj00.exe -servicerunning=true -uninstall=HP Officejet 7200 series -product=aio [?]
S2 hpdj01;hpdj01;c:\docume~1\USER\LOCALS~1\Temp\hpdj01.exe -servicerunning=true -uninstall=hp officejet 4200 series -product=aio --> c:\docume~1\USER\LOCALS~1\Temp\hpdj01.exe -servicerunning=true -uninstall=hp officejet 4200 series -product=aio [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/25/2012 3:11 PM 70408]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys --> c:\windows\system32\DRIVERS\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys --> c:\windows\system32\DRIVERS\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys --> c:\windows\system32\DRIVERS\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys --> c:\windows\system32\DRIVERS\PTDMWWAN.sys [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [1/25/2012 3:19 PM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://keepvid.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\h9vtuv81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
------- File Associations -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-20461581.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 12:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-842925246-1801674531-2122932382-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(804)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(2972)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Comodo\Firewall\cmdagent.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-27 12:28:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-27 17:28
ComboFix2.txt 2012-01-25 22:05
.
Pre-Run: 9,041,186,816 bytes free
Post-Run: 9,132,441,600 bytes free
.
- - End Of File - - 8019C311E388B4DC73E00DA692F1DADF

Farbar Service Scanner Version: 18-01-2012 01
Ran by USER (administrator) on 27-01-2012 at 12:29:20
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe
[2004-08-04 05:00] - [2008-04-13 19:12] - 0039936 ____A (Microsoft Corporation) AF42C56D9426626107DB30A50EB923C8

C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) pctgntdi(9) PSched(7) Tcpip(4) Tcpip6(8)
0x0A00000005000000010000000200000003000000040000000800000009000000020000100600000007000000
IpSec Tag value is correct.

**** End of log ****

#6 KatherineQC

KatherineQC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 January 2012 - 12:11 PM

Farbar Service Scanner Version: 18-01-2012 01
Ran by USER (administrator) on 27-01-2012 at 12:29:20
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe
[2004-08-04 05:00] - [2008-04-13 19:12] - 0039936 ____A (Microsoft Corporation) AF42C56D9426626107DB30A50EB923C8

C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) pctgntdi(9) PSched(7) Tcpip(4) Tcpip6(8)
0x0A00000005000000010000000200000003000000040000000800000009000000020000100600000007000000
IpSec Tag value is correct.

**** End of log ****

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:01 AM

Posted 27 January 2012 - 12:26 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 KatherineQC

KatherineQC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 January 2012 - 01:27 PM

ComboFix 12-01-27.01 - USER 01/27/2012 13:19:00.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.214 [GMT -5:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\USER\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall Pro *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\USER\LOCALS~1\Temp\win2.tmp
c:\docume~1\USER\LOCALS~1\Temp\win4.tmp
c:\documents and settings\USER\Local Settings\Temp\win2.tmp
c:\documents and settings\USER\Local Settings\Temp\win4.tmp
c:\windows\expl.dat
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\svchost.exe --> c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-25 20:11 . 2012-01-25 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-01-25 20:11 . 2012-01-25 20:11 -------- d-----w- c:\documents and settings\USER\Application Data\PC Tools
2012-01-25 20:09 . 2012-01-25 20:10 -------- d-----w- c:\documents and settings\USER\Application Data\GetRightToGo
2012-01-25 16:03 . 2012-01-25 16:03 51328 ----a-w- c:\windows\system32\drivers\inspect.sys
2012-01-25 16:03 . 2012-01-25 16:03 75520 ----a-w- c:\windows\system32\drivers\cmdmon.sys
2012-01-25 14:38 . 2012-01-25 14:38 -------- d-----w- c:\program files\ESET
2012-01-25 00:25 . 2012-01-25 00:25 -------- d-----w- c:\program files\Microsoft ActiveSync
2012-01-24 20:46 . 2012-01-24 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2012-01-11 21:03 . 2012-01-11 21:03 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Help
2012-01-08 19:10 . 2012-01-08 19:10 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Alexander_Nikiforov
2012-01-08 19:10 . 2012-01-08 19:10 -------- d-----w- c:\documents and settings\USER\Application Data\MP3SkypeRecorder
2012-01-08 19:09 . 2012-01-08 19:10 -------- d-----w- c:\program files\MP3 Skype Recorder
2012-01-07 17:17 . 2012-01-07 17:17 574264 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\1224\atgpcext.dll
2012-01-07 17:17 . 2012-01-07 17:17 113976 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\1224\atgpcdec.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-01 17:45 . 2012-01-01 17:45 244736 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\500\WebexStm\StreamingMedia.dll
2012-01-01 02:09 . 2012-01-01 02:09 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-01 02:09 . 2012-01-01 02:09 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-01 02:09 . 2012-01-01 02:09 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-01 02:09 . 2012-01-01 02:09 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 14:31 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-08 13:50 . 2011-12-16 17:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 10:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 10:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 10:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-04 10:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-04 10:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2012-01-01 17:45 . 2012-01-01 17:45 302904 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-01-01 02:09 . 2011-12-18 02:36 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-25_21.56.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-27 17:20 . 2012-01-27 17:20 16384 c:\windows\Temp\Perflib_Perfdata_170.dat
+ 2004-08-04 10:00 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\svchost.exe
+ 2007-05-16 01:04 . 2012-01-27 17:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-05-16 01:04 . 2012-01-25 21:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-04 10:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
COMODO Firewall Pro.lnk - c:\program files\Comodo\Firewall\cpf.exe [2007-5-15 1115728]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 22:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BOC-423]
2007-04-20 07:28 343280 ----a-w- c:\progra~1\Comodo\CBOClean\BOC423.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
2007-05-16 01:43 1115728 ----a-w- c:\program files\Comodo\Firewall\cpf.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-04-03 22:29 165784 ----a-w- c:\program files\DAEMON Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-23 15:12 7630848 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-23 15:12 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-23 15:12 1617920 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-27 18:19 282624 ----a-w- c:\windows\stsystra.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BinaryMark\\Streaming Video Downloader\\VDownloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/25/2012 3:11 PM 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [1/25/2012 3:19 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [1/25/2012 3:19 PM 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/25/2012 3:11 PM 233136]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [5/15/2007 10:39 PM 76528]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/25/2012 3:11 PM 365280]
S2 hpdj00;hpdj00;c:\docume~1\USER\LOCALS~1\Temp\hpdj00.exe -servicerunning=true -uninstall=HP Officejet 7200 series -product=aio --> c:\docume~1\USER\LOCALS~1\Temp\hpdj00.exe -servicerunning=true -uninstall=HP Officejet 7200 series -product=aio [?]
S2 hpdj01;hpdj01;c:\docume~1\USER\LOCALS~1\Temp\hpdj01.exe -servicerunning=true -uninstall=hp officejet 4200 series -product=aio --> c:\docume~1\USER\LOCALS~1\Temp\hpdj01.exe -servicerunning=true -uninstall=hp officejet 4200 series -product=aio [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/25/2012 3:11 PM 70408]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys --> c:\windows\system32\DRIVERS\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys --> c:\windows\system32\DRIVERS\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys --> c:\windows\system32\DRIVERS\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys --> c:\windows\system32\DRIVERS\PTDMWWAN.sys [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [1/25/2012 3:19 PM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://keepvid.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\h9vtuv81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 13:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-842925246-1801674531-2122932382-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(804)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2012-01-27 13:35:04
ComboFix-quarantined-files.txt 2012-01-27 18:35
ComboFix2.txt 2012-01-27 17:28
ComboFix3.txt 2012-01-25 22:05
.
Pre-Run: 9,142,878,208 bytes free
Post-Run: 9,139,359,744 bytes free
.
- - End Of File - - 0321F1361C4206D3C86C4AECEBA7C43F

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:01 AM

Posted 27 January 2012 - 01:38 PM

That looks better

Please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 KatherineQC

KatherineQC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 January 2012 - 02:43 PM

Hopefully this works. Trying to insert an image of the error I got when I tried to update MalwareBytes AntiMalware.

I thought we make it so far, I did not want to start guessing. What to do? Download new and install?

Thank you.

Posted Image

Edited by KatherineQC, 27 January 2012 - 02:44 PM.


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:01 AM

Posted 27 January 2012 - 02:56 PM

Hi,

That means your version is out of date and can't connect to the update servers

please do the following:

  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility.
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 KatherineQC

KatherineQC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 January 2012 - 05:44 PM

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.27.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
USER :: OFFLINE [administrator]

1/27/2012 4:09:03 PM
mbam-log-2012-01-27 (16-09-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186853
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#13 KatherineQC

KatherineQC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 January 2012 - 05:46 PM

C:\Documents and Settings\USER\My Documents\Setups\OrbitDownloaderSetup.exe Win32/OpenCandy application
C:\Documents and Settings\USER\My Documents\Setups\OrbitDownloaderSetup3005.exe Win32/OpenCandy application
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.10.exe Win32/OpenCandy application
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.4.exe Win32/OpenCandy application
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.6.exe Win32/OpenCandy application
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.7.exe Win32/OpenCandy application
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.8.exe Win32/OpenCandy application
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.9.exe Win32/OpenCandy application
C:\Documents and Settings\USER\My Documents\Setups\pdfcrackerent.exe a variant of Win32/PSWTool.PdfCracker.A application
C:\Documents and Settings\USER\My Documents\Setups\Clone.DVD.3+KeyGen\Keygen.exe probably a variant of Win32/Agent.DLKGOHX trojan
C:\Program Files\PDF Password Cracker Enterprise v3.0\crackpdf.exe a variant of Win32/PSWTool.PdfCracker.A application
C:\Software\keygen.exe a variant of Win32/Keygen.AO application

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:01 AM

Posted 27 January 2012 - 06:30 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\USER\My Documents\Setups\OrbitDownloaderSetup.exe 
C:\Documents and Settings\USER\My Documents\Setups\OrbitDownloaderSetup3005.exe 
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.10.exe 
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.4.exe 
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.6.exe 
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.7.exe 
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.8.exe 
C:\Documents and Settings\USER\My Documents\Setups\OrbitSetup4.0.9.exe 
C:\Documents and Settings\USER\My Documents\Setups\pdfcrackerent.exe 
C:\Documents and Settings\USER\My Documents\Setups\Clone.DVD.3+KeyGen\Keygen.exe 
C:\Program Files\PDF Password Cracker Enterprise v3.0\crackpdf.exe 
C:\Software\keygen.exe 


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 22 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT



Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 KatherineQC

KatherineQC
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 January 2012 - 09:15 PM

The only things I've noticed... Comodo seems pretty well shot. Still does not work. Right now I only have Windows firewall on. Is that good enough or is it better to have some firewall like ZoneAlarm or something?
Also, is it okay to turn on the spybot doctor or is there some other antivirus you recommend?

The only other thing I notice so far is when I go to My Computer there is a blank icon there.

I did the Adobe and the Java, and changed the Java to update weekly not monthly.



ComboFix 12-01-27.04 - USER 01/27/2012 20:52:56.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.177 [GMT -5:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\USER\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall Pro *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"c:\documents and settings\USER\My Documents\Setups\Clone.DVD.3+KeyGen\Keygen.exe"
"c:\documents and settings\USER\My Documents\Setups\OrbitDownloaderSetup.exe"
"c:\documents and settings\USER\My Documents\Setups\OrbitDownloaderSetup3005.exe"
"c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.10.exe"
"c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.4.exe"
"c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.6.exe"
"c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.7.exe"
"c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.8.exe"
"c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.9.exe"
"c:\documents and settings\USER\My Documents\Setups\pdfcrackerent.exe"
"c:\program files\PDF Password Cracker Enterprise v3.0\crackpdf.exe"
"c:\software\keygen.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\USER\My Documents\Setups\Clone.DVD.3+KeyGen\Keygen.exe
c:\documents and settings\USER\My Documents\Setups\OrbitDownloaderSetup.exe
c:\documents and settings\USER\My Documents\Setups\OrbitDownloaderSetup3005.exe
c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.10.exe
c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.4.exe
c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.6.exe
c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.7.exe
c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.8.exe
c:\documents and settings\USER\My Documents\Setups\OrbitSetup4.0.9.exe
c:\documents and settings\USER\My Documents\Setups\pdfcrackerent.exe
c:\program files\PDF Password Cracker Enterprise v3.0\crackpdf.exe
c:\software\keygen.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-28 )))))))))))))))))))))))))))))))
.
.
2012-01-27 21:07 . 2012-01-27 21:07 -------- d-----w- c:\documents and settings\USER\Application Data\Malwarebytes
2012-01-27 21:07 . 2012-01-27 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-27 21:07 . 2012-01-27 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-27 21:07 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-25 20:11 . 2012-01-25 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-01-25 20:11 . 2012-01-25 20:11 -------- d-----w- c:\documents and settings\USER\Application Data\PC Tools
2012-01-25 20:09 . 2012-01-25 20:10 -------- d-----w- c:\documents and settings\USER\Application Data\GetRightToGo
2012-01-25 16:03 . 2012-01-25 16:03 51328 ----a-w- c:\windows\system32\drivers\inspect.sys
2012-01-25 16:03 . 2012-01-25 16:03 75520 ----a-w- c:\windows\system32\drivers\cmdmon.sys
2012-01-25 14:38 . 2012-01-25 14:38 -------- d-----w- c:\program files\ESET
2012-01-25 00:25 . 2012-01-25 00:25 -------- d-----w- c:\program files\Microsoft ActiveSync
2012-01-24 20:46 . 2012-01-24 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2012-01-11 21:03 . 2012-01-11 21:03 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Help
2012-01-08 19:10 . 2012-01-08 19:10 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Alexander_Nikiforov
2012-01-08 19:10 . 2012-01-08 19:10 -------- d-----w- c:\documents and settings\USER\Application Data\MP3SkypeRecorder
2012-01-08 19:09 . 2012-01-08 19:10 -------- d-----w- c:\program files\MP3 Skype Recorder
2012-01-07 17:17 . 2012-01-07 17:17 574264 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\1224\atgpcext.dll
2012-01-07 17:17 . 2012-01-07 17:17 113976 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\1224\atgpcdec.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-01 17:45 . 2012-01-01 17:45 244736 ----a-w- c:\program files\Mozilla Firefox\plugins\WebEx\500\WebexStm\StreamingMedia.dll
2012-01-01 02:09 . 2012-01-01 02:09 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-01 02:09 . 2012-01-01 02:09 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-01 02:09 . 2012-01-01 02:09 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-01 02:09 . 2012-01-01 02:09 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 14:31 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-08 13:50 . 2011-12-16 17:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 10:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 10:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 10:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-04 10:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-04 10:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2012-01-01 17:45 . 2012-01-01 17:45 302904 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-01-01 02:09 . 2011-12-18 02:36 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-25_21.56.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-28 01:39 . 2012-01-28 01:39 16384 c:\windows\Temp\Perflib_Perfdata_754.dat
+ 2004-08-04 10:00 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\svchost.exe
+ 2007-05-16 01:04 . 2012-01-27 17:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-05-16 01:04 . 2012-01-25 21:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-04 10:00 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\explorer.exe
+ 2004-08-04 10:00 . 2008-04-14 00:12 1033728 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 22:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BOC-423]
2007-04-20 07:28 343280 ----a-w- c:\progra~1\Comodo\CBOClean\BOC423.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
2007-05-16 01:43 1115728 ----a-w- c:\program files\Comodo\Firewall\cpf.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-04-03 22:29 165784 ----a-w- c:\program files\DAEMON Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-23 15:12 7630848 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-23 15:12 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-23 15:12 1617920 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-27 18:19 282624 ----a-w- c:\windows\stsystra.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BinaryMark\\Streaming Video Downloader\\VDownloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/25/2012 3:11 PM 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [1/25/2012 3:19 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [1/25/2012 3:19 PM 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/25/2012 3:11 PM 233136]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [5/15/2007 10:39 PM 76528]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/25/2012 3:11 PM 365280]
S2 hpdj00;hpdj00;c:\docume~1\USER\LOCALS~1\Temp\hpdj00.exe -servicerunning=true -uninstall=HP Officejet 7200 series -product=aio --> c:\docume~1\USER\LOCALS~1\Temp\hpdj00.exe -servicerunning=true -uninstall=HP Officejet 7200 series -product=aio [?]
S2 hpdj01;hpdj01;c:\docume~1\USER\LOCALS~1\Temp\hpdj01.exe -servicerunning=true -uninstall=hp officejet 4200 series -product=aio --> c:\docume~1\USER\LOCALS~1\Temp\hpdj01.exe -servicerunning=true -uninstall=hp officejet 4200 series -product=aio [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/25/2012 3:11 PM 70408]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys --> c:\windows\system32\DRIVERS\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys --> c:\windows\system32\DRIVERS\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys --> c:\windows\system32\DRIVERS\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys --> c:\windows\system32\DRIVERS\PTDMWWAN.sys [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [1/25/2012 3:19 PM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://keepvid.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\h9vtuv81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 21:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-842925246-1801674531-2122932382-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(800)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2012-01-27 21:10:21
ComboFix-quarantined-files.txt 2012-01-28 02:10
ComboFix2.txt 2012-01-27 18:35
ComboFix3.txt 2012-01-27 17:28
ComboFix4.txt 2012-01-25 22:05
.
Pre-Run: 9,173,151,744 bytes free
Post-Run: 9,154,478,080 bytes free
.
- - End Of File - - F8B340510C30DB3CBA09F16F1F2DC56A




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users