Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scareware, trojan.ransom, bluescreen during gmer


  • This topic is locked This topic is locked
18 replies to this topic

#1 Jukrul

Jukrul

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 06 February 2012 - 07:30 PM

-----------------------------------------------
A Pseudo-Antiviral program was installed onto my computer upon visiting a wallpaper site, I didn't examine it for too long as I wanted to close it as fast as possible however I remember a green shield on my task bar. I opened up task manager (I check my processes daily so I know whats different should a situation like this occur) and saw bnyapb.exe, I ended the process and began a scan with Malwarebytez. I aborted twice before restarting in safe mode and running another full scan with Mbam. It found no files, I then ran a search for bnyapb, a file came out in Local Settings\Application Data and one in prefetch. I scanned the file (in application data) with mbam and sure enough it came up as infected (trojan.ransom).
After the prompted restart I went into Application Data once more. I saw a new file, similar icon with a random jumble of letters again. This time I deleted the prefetches of bny and the new program before scanning and removing with mbam. On the next restart, there was no program within application data, however upon further investigation of my prefetch file, I found other prefetches that did not pertain to most of the common programs I use(all created feb 5th within minutes of eachother), Best.exe, taskkill.exe, vff.exe, ping.exe, nircmdc.rkexe, pev.rkexe, sed.rkexe. (would like to know which belong to rkill)
There are no signs of infection (The scareware doesn't popup on startup and I'm not redirected to any sites as I was with previous rootkit infections), however I don't feel that I've completely fixed the problem. Any assistance would be appreciated! Apologies if my process was useless information.

Update:

Worked on this last night, the computer blue screened after 5 hours of scanning with gmer and again today after gmer was (hopefully) nearly finished. Again around 5 hours of scanning. I'll be running gmer again if its completely necessary but I won't have it in the time of this post, sorry.

Edit Update:

Gmer finished and added
----------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Run by Clarence Washburn at 23:58:42 on 2012-02-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2503 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: GOM Player + Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: GOM Player + Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Octoshape Streaming Services] "c:\documents and settings\clarence washburn\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{40AC6E7F-AD08-4FC5-AD1C-CE04A51FBEF0} : NameServer = 4.2.2.1,4.2.2.2
TCP: Interfaces\{7A4D3F32-275A-4072-BBA5-C41A3A00841F} : DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{F1821F5B-3E92-44B8-9572-293D7D7BDBEE} : DhcpNameServer = 65.32.5.111 65.32.5.112
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\clarence washburn\application data\mozilla\firefox\profiles\i3fzga1w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=05-05-2010&tb_mrud=05-05-2010
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=05-05-2010&tb_mrud=05-05-2010&query=
FF - component: c:\documents and settings\clarence washburn\application data\mozilla\firefox\profiles\i3fzga1w.default\extensions\{942cd1d4-9cc1-4d31-876a-ea8f489f7a59}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\clarence washburn\application data\mozilla\firefox\profiles\i3fzga1w.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
FF - component: c:\documents and settings\clarence washburn\application data\mozilla\firefox\profiles\i3fzga1w.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\clarence washburn\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\clarence washburn\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\clarence washburn\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\gretech\npgomtvx_nie.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S2 AODService;AODService;c:\program files\amd\overdrive\AODAssist.exe [2010-2-22 136544]
S3 athena;athena;c:\windows\system32\drivers\athena.sys --> c:\windows\system32\drivers\athena.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva387;XDva387;\??\c:\windows\system32\xdva387.sys --> c:\windows\system32\XDva387.sys [?]
S3 XDva388;XDva388;\??\c:\windows\system32\xdva388.sys --> c:\windows\system32\XDva388.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\xdva389.sys --> c:\windows\system32\XDva389.sys [?]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 03:02:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 23:59:29.26 ===============


Attached File  attach.txt   34.03KB   1 downloads
Attached File  Ark.log   2.67KB   2 downloads

Edited by Jukrul, 07 February 2012 - 03:26 AM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:27 PM

Posted 06 February 2012 - 10:15 PM

Hello Jukrul and welcome to BC.


:step1: Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Note: Do not install Avast anti virus when offered.



:step2: I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir

    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.



:step3: Asksbar/Ask Toolbar warning:
I strongly suggest that you uninstall Asksbar/Ask Toolbar. Some of the bad practices of this toolbar are:
  • Promoting its toolbars on sites targeted to kids. Details.
  • Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  • Promoting its toolbars through other companies' spyware. Details.
  • Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  • Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  • Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Please read the full details HERE.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Jukrul

Jukrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 07 February 2012 - 03:44 AM

-----------------------------------------------
Hello sempai, many thanks for the quick response and thanks for taking time on this. I updated and attached the gmer file to my first post. Is malwarebytes not enough for antiviral protection? Also, I have removed ask before but firefox kept it as an add-on it should now be completely removed.
The aswmbr log will be posted below.
-----------------------------------------------


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-07 03:36:29
-----------------------------
03:36:29.062 OS Version: Windows 5.1.2600 Service Pack 3
03:36:29.062 Number of processors: 2 586 0x604
03:36:29.062 ComputerName: PILLZ-BOT UserName:
03:36:30.171 Initialize success
03:37:01.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
03:37:01.046 Disk 0 Vendor: SAMSUNG_ VT10 Size: 238418MB BusType: 3
03:37:01.140 Disk 0 MBR read successfully
03:37:01.140 Disk 0 MBR scan
03:37:01.140 Disk 0 Windows XP default MBR code
03:37:01.156 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238409 MB offset 63
03:37:01.171 Disk 0 scanning sectors +488263545
03:37:01.468 Disk 0 scanning C:\WINDOWS\system32\drivers
03:37:45.734 Service scanning
03:37:46.703 Modules scanning
03:38:20.656 Disk 0 trace - called modules:
03:38:20.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
03:38:20.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b145ab8]
03:38:20.687 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8ac4c030]
03:38:21.203 Scan finished successfully
03:38:43.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Clarence Washburn\Desktop\MBR.dat"
03:38:43.921 The log file has been saved successfully to "C:\Documents and Settings\Clarence Washburn\Desktop\aswMBR.txt"

Edited by Jukrul, 07 February 2012 - 03:46 AM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:27 PM

Posted 07 February 2012 - 07:43 AM

Hi,

The initial logs looks OK, but let's make sure by running one more scan.

MBAM is not an Anti virus replacement, you need to have one Anti virus and keep it updated.

  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir

    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


=========================


ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, but make sure you copy the logfile first.
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Jukrul

Jukrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 07 February 2012 - 12:44 PM

---------------------
Here is the log
---------------------
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-64df82ca a variant of Java/Exploit.CVE-2009-2843.B trojan
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\29\61a815d-207b3b4a probably a variant of Java/Agent.BR trojan
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-559dd111 a variant of Java/Exploit.CVE-2009-2843.B trojan
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\37\493431a5-4df624a2 multiple threats
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-10dc7e7d multiple threats
C:\Documents and Settings\Clarence Washburn\My Documents\Downloads\flstudio_9.0.3.exe Win32/OpenCandy application
C:\Documents and Settings\Clarence Washburn\My Documents\Downloads\mirc715.exe Win32/OpenCandy application
C:\System Volume Information\_restore{8EC78D4F-1AD8-4422-ADDB-4BEABA939A6C}\RP510\A0057477.exe a variant of Win32/Kryptik.AACT trojan
C:\System Volume Information\_restore{8EC78D4F-1AD8-4422-ADDB-4BEABA939A6C}\RP510\A0057485.exe a variant of Win32/Kryptik.AACT trojan

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:27 PM

Posted 08 February 2012 - 10:32 AM

:step1: We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".

    :Files
    C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-64df82ca 
    C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\29\61a815d-207b3b4a 
    C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-559dd111 
    C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\37\493431a5-4df624a2 
    C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-10dc7e7d 
    C:\Documents and Settings\Clarence Washburn\My Documents\Downloads\flstudio_9.0.3.exe 
    C:\Documents and Settings\Clarence Washburn\My Documents\Downloads\mirc715.exe 
    C:\System Volume Information\_restore{8EC78D4F-1AD8-4422-ADDB-4BEABA939A6C}\RP510\A0057477.exe 
    C:\System Volume Information\_restore{8EC78D4F-1AD8-4422-ADDB-4BEABA939A6C}\RP510\A0057485.exe  
    
    :Commands
    [emptytemp]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



:step2: Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Jukrul

Jukrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 08 February 2012 - 02:55 PM

---------------------------
Here are the logs
---------------------------

All processes killed
========== FILES ==========
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-64df82ca moved successfully.
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\29\61a815d-207b3b4a moved successfully.
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-559dd111 moved successfully.
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\37\493431a5-4df624a2 moved successfully.
C:\Documents and Settings\Clarence Washburn\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-10dc7e7d moved successfully.
C:\Documents and Settings\Clarence Washburn\My Documents\Downloads\flstudio_9.0.3.exe moved successfully.
C:\Documents and Settings\Clarence Washburn\My Documents\Downloads\mirc715.exe moved successfully.
C:\System Volume Information\_restore{8EC78D4F-1AD8-4422-ADDB-4BEABA939A6C}\RP510\A0057477.exe moved successfully.
C:\System Volume Information\_restore{8EC78D4F-1AD8-4422-ADDB-4BEABA939A6C}\RP510\A0057485.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Clarence Washburn
->Temp folder emptied: 20305709335 bytes
->Temporary Internet Files folder emptied: 1213044 bytes
->Java cache emptied: 17446245 bytes
->FireFox cache emptied: 87141332 bytes
->Flash cache emptied: 595145 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56466 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: MCX1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 375921 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6390005 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 78749362 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 19,548.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 02082012_115208

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_a88.dat not found!

Registry entries deleted on Reboot...


----------------------------------------------------------

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.08.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Clarence Washburn :: PILLZ-BOT [administrator]

2/8/2012 11:59:07 AM
mbam-log-2012-02-08 (11-59-07).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 451064
Time elapsed: 2 hour(s), 35 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\_OTM\MovedFiles\02082012_115208\C_System Volume Information\_restore{8EC78D4F-1AD8-4422-ADDB-4BEABA939A6C}\RP510\A0057477.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\02082012_115208\C_System Volume Information\_restore{8EC78D4F-1AD8-4422-ADDB-4BEABA939A6C}\RP510\A0057485.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

(end)

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:27 PM

Posted 09 February 2012 - 08:15 AM

How's the computer running?


:step1: Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "Java SE 7u2".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".

    • Select "Windows x86 Offline" and click on jre-7u2-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.



:step2: Update Adobe Reader so you will not become vulnerable for infections.
  • Uninstall your old version of Adobe Reader.
  • Download the latest version of Adobe Reader. --> HERE
  • Uncheck any optional download like Free Google Toolbar or Free McAfeeŽ Security Scan Plus.
  • Click download to download the file and install it by following the prompts.
Adobe Download Manager FAQ | Flash Player and Reader: http://kb2.adobe.com/cps/520/cpsid_52001.html

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Jukrul

Jukrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 09 February 2012 - 08:42 AM

I've been avoiding being on the computer, didn't think we were done. I'll let you know after a run through today. The other 5 files are no concern?

Also, is it alright if I log into things now?

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:27 PM

Posted 09 February 2012 - 09:03 AM

No we're not done yet, just want to be updated about the computer's status.

The other 5 files are no concern?

What other 5 files?

Also, is it alright if I log into things now?


Limit the use of internet until we're sure that the computer is malware free.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Jukrul

Jukrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 09 February 2012 - 09:15 AM

Well computer seems to be running a tiny bit faster than before this all happened. As for the files, eset picked up 7 otm moved them and mbam only removed 2, now that you say we're not done I guess that clarifies it haha. Thanks for all the help so far its really appreciated.


I have removed older versions of java and adobe. They should now be up to date.

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:27 PM

Posted 09 February 2012 - 09:57 AM

Those 5 other files are already in the quarantine folder of OTM, so nothing to worry about them and we will remove them when we remove OTM later on.

Initial log looks clean, but that doesn't mean that the PC is cleaned. Let's run Combofix, though I don't think it's needed here... It might reveal something that's not showing in the previous scans.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Jukrul

Jukrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 09 February 2012 - 10:42 AM

---------------------------------
Here's the combofix log
---------------------------------


ComboFix 12-02-09.03 - Clarence Washburn 02/09/2012 10:13:01.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2882 [GMT -5:00]
Running from: c:\documents and settings\Clarence Washburn\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\kb913800.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-09 14:32 . 2012-02-09 14:32 -------- d-----w- c:\documents and settings\Clarence Washburn\Local Settings\Application Data\Temp
2012-02-09 14:00 . 2012-02-09 14:00 -------- d-----w- c:\program files\Common Files\Java
2012-02-09 13:57 . 2012-02-09 13:57 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-02-09 13:57 . 2012-02-09 13:57 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-08 16:52 . 2012-02-08 16:52 -------- d-----w- C:\_OTM
2012-02-06 00:20 . 2012-02-06 00:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-09 13:57 . 2010-06-13 02:30 567184 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-10 20:24 . 2010-06-06 18:33 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 03:02 . 2011-05-14 06:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-01 18:25 . 2011-05-08 02:29 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"Octoshape Streaming Services"="c:\documents and settings\Clarence Washburn\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-12 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnapDetect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnapDetect.lnk
backup=c:\windows\pss\SnapDetect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Clarence Washburn^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\Clarence Washburn\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Clarence Washburn^Start Menu^Programs^Startup^Pandora.lnk]
path=c:\documents and settings\Clarence Washburn\Start Menu\Programs\Startup\Pandora.lnk
backup=c:\windows\pss\Pandora.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2005-08-12 19:43 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 17:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 11:15 151552 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-05-15 00:03 1103216 ----a-w- c:\program files\Download Manager\DLM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 19:30 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 19:30 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
2006-06-09 16:47 47104 -c--a-w- c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-22 22:20 339968 -c--a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-02 00:19 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Documents and Settings\\Clarence Washburn\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\GRETECH\\GomTVStreamer\\GomTVStreamerLive.exe"=
"c:\\Program Files\\GRETECH\\GomTVStreamer\\GomTVStreamerStream.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\heroes of might and magic 5\\bin\\H5_Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\heroes of might and magic 5 tribes of the east\\bin\\H5_Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\heroes of might and magic 5\\bina1\\testapp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\rhythm zone\\rhythmzone.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spiral knights\\java_vm\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\heroes of might and magic 5 tribes of the east\\bin\\H5_MapEditor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\APB.exe"=
"c:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\VivoxVoiceService.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\iron grip marauders\\prism.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\bin\\SDKLauncher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3724:TCP"= 3724:TCP:WoW
"3724:UDP"= 3724:UDP:Wow
"53:UDP"= 53:UDP:xbl
"88:UDP"= 88:UDP:xbl
"3330:UDP"= 3330:UDP:xbl
"3074:UDP"= 3074:UDP:xbl
"3074:TCP"= 3074:TCP:xbl
"56744:TCP"= 56744:TCP:Pando Media Booster
"56744:UDP"= 56744:UDP:Pando Media Booster
"8395:TCP"= 8395:TCP:League of Legends Launcher
"8395:UDP"= 8395:UDP:League of Legends Launcher
"57340:TCP"= 57340:TCP:League of Legends Launcher
"57340:UDP"= 57340:UDP:League of Legends Launcher
"30920:TCP"= 30920:TCP:League of Legends Launcher
"30920:UDP"= 30920:UDP:League of Legends Launcher
"8396:TCP"= 8396:TCP:League of Legends Launcher
"8396:UDP"= 8396:UDP:League of Legends Launcher
"8397:TCP"= 8397:TCP:League of Legends Launcher
"8397:UDP"= 8397:UDP:League of Legends Launcher
"26326:TCP"= 26326:TCP:League of Legends Launcher
"26326:UDP"= 26326:UDP:League of Legends Launcher
"40800:TCP"= 40800:TCP:League of Legends Launcher
"40800:UDP"= 40800:UDP:League of Legends Launcher
"8398:TCP"= 8398:TCP:League of Legends Launcher
"8398:UDP"= 8398:UDP:League of Legends Launcher
"8399:TCP"= 8399:TCP:League of Legends Launcher
"8399:UDP"= 8399:UDP:League of Legends Launcher
"8804:TCP"= 8804:TCP:League of Legends Launcher
"8804:UDP"= 8804:UDP:League of Legends Launcher
"57244:TCP"= 57244:TCP:League of Legends Launcher
"57244:UDP"= 57244:UDP:League of Legends Launcher
"44832:TCP"= 44832:TCP:League of Legends Launcher
"44832:UDP"= 44832:UDP:League of Legends Launcher
"4800:TCP"= 4800:TCP:League of Legends Launcher
"4800:UDP"= 4800:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"9998:TCP"= 9998:TCP:League of Legends Launcher
"9998:UDP"= 9998:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"57993:TCP"= 57993:TCP:Pando Media Booster
"57993:UDP"= 57993:UDP:Pando Media Booster
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"58584:TCP"= 58584:TCP:Pando Media Booster
"58584:UDP"= 58584:UDP:Pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"6955:TCP"= 6955:TCP:League of Legends Launcher
"6955:UDP"= 6955:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"6900:TCP"= 6900:TCP:League of Legends Launcher
"6900:UDP"= 6900:UDP:League of Legends Launcher
"6901:TCP"= 6901:TCP:League of Legends Launcher
"6901:UDP"= 6901:UDP:League of Legends Launcher
"58811:TCP"= 58811:TCP:Pando Media Booster
"58811:UDP"= 58811:UDP:Pando Media Booster
"58459:TCP"= 58459:TCP:Pando Media Booster
"58459:UDP"= 58459:UDP:Pando Media Booster
.
S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe [2/22/2010 4:25 AM 136544]
S3 athena;athena;c:\windows\system32\DRIVERS\athena.sys --> c:\windows\system32\DRIVERS\athena.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 12:19 PM 23064]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{40AC6E7F-AD08-4FC5-AD1C-CE04A51FBEF0}: NameServer = 4.2.2.1,4.2.2.2
FF - ProfilePath - c:\documents and settings\Clarence Washburn\Application Data\Mozilla\Firefox\Profiles\i3fzga1w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=05-05-2010&tb_mrud=05-05-2010
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=05-05-2010&tb_mrud=05-05-2010&query=
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-AutoHotkey - c:\program files\AutoHotkey\uninst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-09 10:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-507921405-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:62,90,bd,ca,dd,6c,f4,3b,31,47,dd,7a,b1,90,ae,60,d4,c1,d8,5d,7d,36,96,
17,51,7d,48,26,85,a1,b5,af,e4,22,9d,f4,57,53,9f,94,f4,bc,59,a6,b3,e7,94,15,\
"??"=hex:d2,8a,3d,7f,d6,ee,ff,ab,38,51,7b,8c,dc,d7,d2,0c
.
[HKEY_USERS\S-1-5-21-1960408961-507921405-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:ce,8e,fe,cd,3f,4a,a6,f7,cc,12,8a,fa,86,0b,bb,79,2a,f1,be,ff,77,
30,0f,d8,95,b6,fb,fa,05,78,7b,0c,80,ce,5c,74,dc,77,67,70,eb,da,ac,40,6b,8f,\
"rkeysecu"=hex:13,e8,58,af,6a,e5,9f,61,fe,6b,88,75,90,87,fb,05
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-02-09 10:26:18
ComboFix-quarantined-files.txt 2012-02-09 15:26
.
Pre-Run: 69,455,740,928 bytes free
Post-Run: 69,413,572,608 bytes free
.
- - End Of File - - 483E13524D146C327E605CE40225B9F1

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:27 PM

Posted 09 February 2012 - 09:50 PM

Please run DDS once again and post the new report for my review.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Jukrul

Jukrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 09 February 2012 - 10:09 PM

----------------------
Here's the new dds and attach
----------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.2.0
Run by Clarence Washburn at 22:01:13 on 2012-02-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2931 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Octoshape Streaming Services] "c:\documents and settings\clarence washburn\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{40AC6E7F-AD08-4FC5-AD1C-CE04A51FBEF0} : NameServer = 4.2.2.1,4.2.2.2
TCP: Interfaces\{F1821F5B-3E92-44B8-9572-293D7D7BDBEE} : DhcpNameServer = 65.32.5.111 65.32.5.112
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\clarence washburn\application data\mozilla\firefox\profiles\i3fzga1w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=05-05-2010&tb_mrud=05-05-2010
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=05-05-2010&tb_mrud=05-05-2010&query=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\clarence washburn\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\clarence washburn\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\clarence washburn\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\gretech\npgomtvx_nie.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S2 AODService;AODService;c:\program files\amd\overdrive\AODAssist.exe [2010-2-22 136544]
S3 athena;athena;c:\windows\system32\drivers\athena.sys --> c:\windows\system32\drivers\athena.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva387;XDva387;\??\c:\windows\system32\xdva387.sys --> c:\windows\system32\XDva387.sys [?]
S3 XDva388;XDva388;\??\c:\windows\system32\xdva388.sys --> c:\windows\system32\XDva388.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\xdva389.sys --> c:\windows\system32\XDva389.sys [?]
.
=============== Created Last 30 ================
.
2012-02-09 18:01:19 -------- d-----w- c:\documents and settings\clarence washburn\local settings\application data\Sun
2012-02-09 15:04:00 -------- d-sha-r- C:\cmdcons
2012-02-09 15:01:47 98816 ----a-w- c:\windows\sed.exe
2012-02-09 15:01:47 518144 ----a-w- c:\windows\SWREG.exe
2012-02-09 15:01:47 256000 ----a-w- c:\windows\PEV.exe
2012-02-09 15:01:47 208896 ----a-w- c:\windows\MBR.exe
2012-02-09 14:32:12 -------- d-----w- c:\documents and settings\clarence washburn\local settings\application data\Temp
2012-02-09 13:57:19 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-02-09 13:57:19 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-08 16:52:08 -------- d-----w- C:\_OTM
.
==================== Find3M ====================
.
2012-02-09 13:57:00 567184 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 03:02:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 22:02:19.45 ===============

Attached File  attach2.txt   35.84KB   2 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users