Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Credit Card Details Request Redirect


  • This topic is locked This topic is locked
50 replies to this topic

#1 dagnabbit

dagnabbit

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 14 February 2012 - 05:56 AM

My wife recently tried to purchase an item online by CC and was asked for additional card details including the PIN number. She exited out on this occasion but the next time she went into our online banking the same screen came up and she filled it in ! (duh).

It appears to be a similar issue to this topic
My link

We have a temp suspension on our accounts until cards are reissued, passwords reset etc etc but I am now highly paranoid about what is left on here. I have run Avast Scans, Spybot scans, Adaware scans, Malware scans. All of which picked p issues which have been cleaned, including a root scan by Avast (love Avast btw :) ).

I just ask that you check the attached logs for problems before I unsuspend our banking access. And while I know you will have a back log some priority would be appreciated (though not expected) as I have no access to the almighty $ until I am sure this is cleaned.

Thank you

Attached Files


Edited by dagnabbit, 14 February 2012 - 05:57 AM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 AM

Posted 15 February 2012 - 12:05 PM

Hello dagnabbit and welcome to BC.


Are you still experiencing redirect after doing some malware scans? Please do not attach logs unless instructed.


P2P Warning:

Torrent

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes .

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


===============================


:step1: We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy



:step2: Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 dagnabbit

dagnabbit
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 15 February 2012 - 10:59 PM

Combofix log attached. Startup and program access speeds have gone down hill rapidly today.

Attached Files



#4 dagnabbit

dagnabbit
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 16 February 2012 - 06:56 AM

BTW, Avast now no longer automatically starts when starting windows ? Not converned about Teatimer though.

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 AM

Posted 16 February 2012 - 12:35 PM

Hi,

Please do not attach logs unless instructed. Do you use Remote Desktop on this machine?


:step1: Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\program files\WinKeyFinder173_RC2.exe

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


:step2: Run this Combofix script and make sure to install the Windows Recovery Console when prompted.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

KillAll::

File::
c:\windows\system32\drivers\_7qe8q.sys 
c:\windows\system32\drivers\xpsec.sys 

FileLook::
c:\program files\WinKeyFinder173_RC2.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-

Driver::
_7qe8q.sys
xpsec

ClearJavaCache::


4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 dagnabbit

dagnabbit
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 17 February 2012 - 05:45 AM

Remote dektop has never been used to access this PC to my knowledge. I do access my work PC via the company SBserver through IE. (https://mail.xxxxxx.com.au/Remote/)

New Combofix scan attached.

Virscan log of c:\program files\WinKeyFinder173_RC2.exe scan. All clean. I have had this program for a while, it gives you a list of all software on your PC along with their serial numbers, great for when you have lost the disk which comes in very handy in a large office environment.

On selecting yes to Combofix installing the recovery console a message of "Boot Partition cannot be enumerated correctly"

On PC startup a message of "Boot.ini" is invaild, booting from C:\windows\

If the PC is started with the modem on winlogon is using a constant 25-26% of CPU which I have never seen before. If I start the PC with modem off, and then turn on once up and running winlogon uses normal minimal resources.
With winlogon using 25% CPU, generally CPU use is maxing with only IE or FF running, mainly when a second tab is opened.
Both FF and IE are using much more memory than is normal, 4 to 5 times normal use.

Attached Files


Edited by dagnabbit, 17 February 2012 - 06:46 AM.


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 AM

Posted 17 February 2012 - 11:39 AM

Hi and thanks for the info's. Is this a dual boot system?

Please do not attach logs unless instructed so I can read them more easily.


:step1: Right click on My Computer and choose Properties.
  • Under the Advanced tab, click on the Settings button in the Startup and Recovery section.
  • In the window that opens, click the Edit button.
  • Copy-paste the contents of the notepad window that opens (boot.ini) when you reply.



:step2: We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-


4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you which I will require in your next reply.


Edited by sempai, 17 February 2012 - 11:41 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 dagnabbit

dagnabbit
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 17 February 2012 - 09:36 PM

Hey, thanks for the assist to date.

No, this is not a dual boot system. I do have 2 virtual machines setup through VMware, one of XP home and one of Ubantu. These are almost completely unused and setup on the E drive partition of the second hard drive.

Unable to open the boot.ini file, apparantly does not exist, see jpg of screenshots taken while atepmting to to do so through steps advised above.

Combofix still unable to load the Recovery Console with same message as detailed previously.

Edit: Managed to manually install Recovery Console, Scan Log 4 is post Recovery Console install.

Attached Files


Edited by dagnabbit, 18 February 2012 - 01:58 AM.


#9 dagnabbit

dagnabbit
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 18 February 2012 - 02:14 AM

Update,

Now that Recovery Console is on I now also have a Boot.ini file with the following in it.

Boot.ini contents;

[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 AM

Posted 18 February 2012 - 11:17 AM

Hi,

Your boot.ini is improperly configured, we will fix it but first please run the tool below.


Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes.

Edited by sempai, 18 February 2012 - 11:35 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 dagnabbit

dagnabbit
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 18 February 2012 - 07:27 PM

Scan Attached.

RAM does not clear from launched programs, FF and IE stay there, and can never be cleared except by reboot, other launched programs have mixed success of clearing RAM. The exe consistantly taking 25-30% of CPU is not always the same, so far I have seen winlogon, jqs & spkrmonx, none of which can be terminated. This file usually takes up CPU capacity immediately but can sometimes start at random durations after PC start.

On each PC restart it is random as to access speeds from normal to commodore 64.

Thanks

Attached Files



#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 AM

Posted 19 February 2012 - 07:44 AM

so far I have seen winlogon, jqs & spkrmonx, none of which can be terminated.

These are all legitimate programs.

Let's fix the Boot.ini, failure to properly follow instructions may result in an unbootable machine.

  • Right click on current copy of C:\Boot.ini & select 'Properties'. Then remove the file's 'Read-Only' attribute.
  • Rename the current C:\Boot.ini to C:\Boot.old (Do not delete it)
  • Please download the attached file "boot.txt".
  • Save it to C:\
  • Rename the boot.txt to boot.ini
  • Right click on your new boot.ini and select properties
  • Put a check mark on Read-only and hidden boxes.
  • Click Apply
  • Click OK
  • Restart your PC.
  • Post the new Boot.ini contents.

Note: If you're prompted to choose between "Normal start-up" or "Modified boot.ini" during the start-up process, please chose Normal start-up.

Attached Files

  • Attached File  boot.txt   270bytes   4 downloads

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 dagnabbit

dagnabbit
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 19 February 2012 - 05:25 PM

New boot.ini content;

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:50 AM

Posted 20 February 2012 - 01:08 AM

Can you please delete your copy of Combofix (do not uninstall) and then download a new copy and run it.

Also please remember not to attach logs unless instructed. Just copy-paste the contents when you reply.

Edited by sempai, 20 February 2012 - 01:09 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 dagnabbit

dagnabbit
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 20 February 2012 - 04:01 AM

Done, see below;

ComboFix 12-02-19.02 - marandrew 20/02/2012 16:23:30.7.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1458 [GMT 8:00]
Running from: c:\documents and settings\marandrew\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_xcpip
.
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-17 10:56 . 2001-08-17 06:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-02-15 06:28 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 06:28 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 12:40 . 2012-02-14 12:40 -------- d-----w- c:\program files\Common Files\Java
2012-02-13 13:18 . 2012-02-13 13:18 -------- d-----w- c:\program files\CCleaner
2012-02-06 09:37 . 2012-02-06 09:37 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-06 09:34 . 2012-02-12 07:53 -------- d-----w- c:\documents and settings\marandrew\Application Data\TweakNow PowerPack 2011
2012-02-06 09:32 . 2012-02-12 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2012-01-23 02:58 . 2012-02-17 12:20 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-23 02:58 . 2012-01-23 02:58 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-23 02:58 . 2012-01-23 02:58 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-23 02:58 . 2012-01-23 02:58 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2006-02-28 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2011-12-10 07:24 . 2010-10-13 12:43 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 18:01 . 2010-08-04 12:21 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2010-08-04 12:21 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2011-06-30 22:39 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2010-08-04 12:21 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2010-08-04 12:21 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2010-08-04 12:21 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2010-08-04 12:21 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:51 . 2010-08-04 12:21 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2010-08-04 12:21 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2010-08-04 12:21 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-25 21:57 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2007-08-02 04:30 . 2010-08-09 13:03 270336 ----a-w- c:\program files\WinKeyFinder173_RC2.exe
2012-02-17 12:20 . 2011-03-31 13:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-02-18_02.13.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-20 08:45 . 2012-02-20 08:45 16384 c:\windows\Temp\Perflib_Perfdata_ee0.dat
+ 2012-02-20 08:46 . 2012-02-20 08:46 16384 c:\windows\Temp\Perflib_Perfdata_bf0.dat
+ 2012-02-20 08:45 . 2012-02-20 08:45 16384 c:\windows\Temp\Perflib_Perfdata_a5c.dat
+ 2012-02-19 22:25 . 2012-02-19 22:25 16384 c:\windows\Temp\Perflib_Perfdata_950.dat
+ 2006-02-28 12:00 . 2012-02-19 00:51 78174 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2012-02-19 00:51 478806 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-26 8523776]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 8 (0x8)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopManager]
2002-03-11 06:41 583168 ----a-w- c:\program files\Desktop Manager\deskmanr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2009-10-23 11:34 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-12 16:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 03:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-26 08:06 8523776 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-26 08:06 81920 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-05-14 02:32 1479680 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 03:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 05:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"VMware NAT Service"=2 (0x2)
"VMUSBArbService"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"npggsvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\VMware\\vmware-authd.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Heroes In the Sky\\HIS.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56996:TCP"= 56996:TCP:*:Disabled:Pando Media Booster
"56996:UDP"= 56996:UDP:*:Disabled:Pando Media Booster
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/07/2011 6:39 AM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/08/2010 8:21 PM 314456]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/08/2010 8:42 PM 143248]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/08/2010 8:42 PM 41936]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/08/2010 8:21 PM 20568]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22/10/2009 5:00 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/10/2009 3:47 AM 563760]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [9/08/2010 10:25 PM 47360]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [1/12/2010 1:44 PM 111504]
R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [23/12/2010 5:38 PM 36608]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [5/08/2010 2:08 PM 100560]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6/05/2008 4:06 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - xcpip
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:57]
.
2012-02-20 c:\windows\Tasks\Updater.job
- c:\program files\ENJO\ENJO Companion\updater.exe [2011-06-02 04:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: e:\vmware\vsocklib.dll
Trusted Zone: reeces.com.au\mail
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath - c:\documents and settings\marandrew\Application Data\Mozilla\Firefox\Profiles\ceqbp6y5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CTXXXX&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 16:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
e:\vmware\vmware-authd.exe
.
**************************************************************************
.
Completion time: 2012-02-20 16:57:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 08:57
ComboFix.txt 2012-02-18 04:20
ComboFix2.txt 2012-02-18 06:54
ComboFix3.txt 2012-02-18 02:26
ComboFix4.txt 2012-02-17 10:31
ComboFix5.txt 2012-02-20 08:21
.
Pre-Run: 32,748,216,320 bytes free
Post-Run: 32,734,662,656 bytes free
.
- - End Of File - - 02E01C4349188FF09033CFEC7DCA8D5D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users