Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]hxxp://67.201.36.16/nolink.html pop up virus


  • This topic is locked This topic is locked
23 replies to this topic

#1 Icoris

Icoris

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 13 November 2009 - 10:06 AM

Been getting random popup of a new window in firefox including the link : hxxp://67.201.36.16/nolink.html and various other links. Also for some reason, im unable to start up windows in safe mode (it's not that i dont know how,it just restarts again when told to start in safe mode) Rootrepeal LOG: ROOTREPEAL AD, 2007-2009 ================================================== Scan Start Time: 2009/11/14 03:00 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA9BAF000 Size: 49152 File Visible: No Signed: - Status: - ==EOF== DDS: DDS (Ver_09-10-26.01) - NTFSx86 Run by Administrator at 3:01:04.12 on Sat 11/14/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2240 [GMT 11:00] ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\Megaupload\Mega Manager\MegaManager.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Documents and Settings\Administrator\Desktop\RootRepeal.exe C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [UnlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H mRun: [RTHDCPL] RTHDCPL.EXE mRun: [P17Helper] Rundll32 P17.dll,P17Helper mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256242706359 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256242617750 Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\97mip8de.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/|http://www.allkpop.com/|http://seoulbeats.com/ FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - HiddenExtension: XULRunner: {1A9570E9-41F9-4939-A640-87912928343D} - c:\documents and settings\administrator\local settings\application data\{1A9570E9-41F9-4939-A640-87912928343D} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-10-23 80392] R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-10-23 93696] =============== Created Last 30 ================ 2009-11-12 10:25:46 120 ----a-w- c:\windows\Rmatanonu.dat 2009-11-12 10:25:46 0 ----a-w- c:\windows\Irediriqurejada.bin 2009-11-10 08:05:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-10 08:05:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-10 07:34:18 0 d-sha-r- C:\cmdcons 2009-11-10 07:33:02 98816 ----a-w- c:\windows\sed.exe 2009-11-10 07:33:02 77312 ----a-w- c:\windows\MBR.exe 2009-11-10 07:33:02 267264 ----a-w- c:\windows\PEV.exe 2009-11-10 07:33:02 161792 ----a-w- c:\windows\SWREG.exe 2009-11-10 07:17:25 0 d-----w- c:\documents and settings\administrator\DoctorWeb 2009-11-10 06:51:50 0 d-----w- c:\program files\trend micro 2009-11-10 06:44:15 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-11-10 06:35:52 2126 ----a-w- c:\windows\system32\wpa.dbl 2009-11-10 06:31:32 0 d-----w- c:\docume~1\alluse~1\applic~1\9bee7c1 2009-11-09 13:43:01 0 d-----w- c:\program files\Steam 2009-11-06 02:12:16 212240 ----a-w- c:\windows\system32\richtx32.OCX 2009-11-06 02:12:16 152848 ----a-w- c:\windows\system32\comdlg32.OCX 2009-11-06 02:12:16 124688 ----a-w- c:\windows\system32\MSWINSCK.ocx 2009-11-06 01:57:09 0 d-----w- c:\docume~1\admini~1\applic~1\MessengerDiscovery 2 2009-11-06 01:38:40 0 d-----w- c:\documents and settings\administrator\Tracing 2009-11-06 01:37:41 0 d-----w- c:\program files\Microsoft 2009-11-06 01:37:16 0 d-----w- c:\program files\Windows Live SkyDrive 2009-11-06 01:35:10 0 d-----w- c:\program files\common files\Windows Live 2009-10-26 06:14:20 0 d-----w- c:\program files\VideoLAN 2009-10-26 01:35:27 0 d-sh--w- c:\documents and settings\administrator\IECompatCache 2009-10-23 18:05:32 50 ----a-w- c:\windows\MegaManager.INI 2009-10-23 17:30:44 3241 ----a-w- c:\windows\system32\wbem\Outlook_01ca54068cf9279a.mof 2009-10-23 16:39:20 0 d-----w- c:\docume~1\admini~1\applic~1\Megaupload 2009-10-23 14:46:28 0 d-----w- c:\program files\Spybot - Search & Destroy 2009-10-23 14:46:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-10-23 14:23:12 0 d-----w- c:\windows\system32\appmgmt 2009-10-23 14:21:40 0 d-----w- c:\program files\Combined Community Codec Pack 2009-10-23 14:08:33 0 dc-h--w- c:\windows\ie8 2009-10-23 11:16:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Messenger Plus! 2009-10-23 10:59:01 0 d-----w- c:\program files\Megaupload 2009-10-23 10:57:15 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2009-10-23 10:57:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-23 10:57:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-10-23 10:53:30 0 d-----w- c:\program files\uTorrent 2009-10-23 10:52:55 0 d-----w- c:\docume~1\admini~1\applic~1\uTorrent 2009-10-23 10:50:10 0 d-----w- c:\program files\common files\Adobe Systems Shared 2009-10-23 10:45:49 32 ----a-w- c:\windows\CD_Start.INI 2009-10-23 10:40:38 32592 ----a-w- c:\windows\system32\msonpmon.dll 2009-10-23 10:37:19 0 d-----w- c:\program files\Microsoft Visual Studio 8 2009-10-23 10:36:37 0 d-----w- c:\windows\SHELLNEW 2009-10-23 08:32:32 0 d-----w- c:\program files\Messenger Plus! Live 2009-10-23 07:50:10 764868 -c----w- c:\windows\system32\dllcache\apph_sp.sdb 2009-10-23 07:50:10 217118 -c----w- c:\windows\system32\dllcache\apphelp.sdb 2009-10-23 07:50:09 1197294 -c----w- c:\windows\system32\dllcache\sysmain.sdb 2009-10-23 06:21:46 21504 ----a-w- c:\windows\system32\hidserv.dll 2009-10-23 06:21:36 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys 2009-10-23 06:21:32 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2009-10-23 06:19:10 0 d-----w- c:\windows\system32\LogFiles 2009-10-23 05:42:11 8192 ----a-w- c:\windows\REGLOCS.OLD 2009-10-23 05:17:21 0 d-----w- c:\program files\Ventrilo 2009-10-23 05:17:15 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini 2009-10-23 05:15:09 0 d-----w- c:\program files\common files\Wise Installation Wizard 2009-10-23 05:03:44 57472 ----a-w- c:\windows\system32\drivers\redbook.sys 2009-10-23 05:03:14 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys 2009-10-23 05:02:50 74240 ----a-w- c:\windows\system32\usbui.dll 2009-10-23 05:00:43 0 d-----w- c:\program files\common files\ODBC 2009-10-23 05:00:40 0 d-----w- c:\program files\common files\SpeechEngines 2009-10-23 05:00:19 0 d-----r- c:\documents and settings\all users\Documents 2009-10-23 04:23:59 0 dcsh--w- c:\program files\common files\WindowsLiveInstaller 2009-10-22 20:23:35 0 d-----w- c:\program files\iPod 2009-10-22 20:23:34 0 d-----w- c:\program files\iTunes 2009-10-22 20:23:34 0 d-----w- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-10-22 20:23:25 0 d-----w- c:\program files\Bonjour 2009-10-22 19:55:59 0 d-----w- c:\program files\common files\ATI Technologies 2009-10-22 19:52:20 0 d-----w- c:\program files\ATI Technologies 2009-10-22 19:48:44 0 d-----w- c:\program files\Heroes of Newerth 2009-10-22 19:42:24 0 d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor 2009-10-22 19:37:54 0 d-----w- c:\program files\Creative 2009-10-22 19:29:06 0 d-----w- c:\program files\Realtek 2009-10-22 19:25:40 0 d-----w- c:\program files\GIGABYTE 2009-10-22 19:19:27 0 d-----w- c:\program files\Symantec 2009-10-22 19:19:21 0 d-----w- c:\program files\Symantec Client Security 2009-10-22 19:19:21 0 d-----w- c:\program files\common files\Symantec Shared 2009-10-22 19:19:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec 2009-10-22 19:18:34 0 d-----w- c:\program files\Nero 2009-10-22 19:18:01 0 d-----w- c:\program files\Real Alternative 2009-10-22 19:17:53 0 d-----w- c:\program files\QuickTime Alternative 2009-10-22 19:17:53 0 d-----w- c:\program files\Media Player Classic 2009-10-22 19:17:47 0 d-----w- c:\program files\K-Lite Codec Pack 2009-10-22 19:10:43 0 d-sh--w- c:\documents and settings\all users\DRM 2009-10-22 19:10:24 0 d--h--w- c:\program files\WindowsUpdate 2009-10-22 19:09:34 0 d-----w- c:\program files\common files\MSSoap 2009-10-22 19:08:23 0 d-----w- c:\program files\Online Services 2009-10-22 19:08:16 0 d-----w- c:\program files\Windows Media Connect 2 2009-10-22 19:07:55 0 d-----w- c:\program files\Desktop 2009-10-22 19:07:54 0 d-----w- c:\program files\Unlocker 2009-10-22 19:07:54 0 d-----w- c:\program files\Microsoft PowerToys 2009-10-22 19:07:54 0 d-----w- c:\program files\HashTab Shell Extension 2009-10-22 19:07:52 0 d-----w- c:\program files\Messenger 2009-10-22 19:07:49 0 d-----w- c:\program files\MSN Gaming Zone 2009-10-22 19:07:14 0 d-----w- c:\program files\Windows NT ==================== Find3M ==================== 2009-11-13 02:25:51 16608 ----a-w- c:\windows\gdrv.sys 2009-10-22 19:42:31 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys 2009-10-22 19:29:03 315392 ----a-w- c:\windows\HideWin.exe 2009-10-22 19:08:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat ============= FINISH: 3:02:00.73 ===============

Attached Files


    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 November 2009 - 10:13 AM

I see you have run ComboFix...please post the log(s)

they can be found at C:\combofix.txt or C:\qoobox\combofix2.txt, C:\qoobox\combofix3.txt etc.

Please run the following:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 Icoris

Icoris

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 13 November 2009 - 09:14 PM

yeah i ran combofix, because my comp was in such a bad condition, msa.exe and a.exe installed itself somehow, and mbam.exe wouldnt run even though i renamed it a couple of times. ill post the logs in a sec. also getting random window opening popup to hxxp://www.directrdr.com/vtrack.php?pid=32...pages%2Fim.aspx, and then a casino site.

COMBOLOG:
ComboFix 09-11-09.01 - Administrator 11/10/2009 18:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2960 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\Data

2009-11-10 07:54:55 . 2009-11-10 07:54:55 306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-NavLogon.reg.dat
2009-11-10 07:45:25 . 2009-11-10 07:45:25 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}.reg.dat
2009-11-10 07:44:58 . 2009-11-10 07:44:58 7,036 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-10 07:32:45 . 2009-11-10 07:32:45 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-11-10 06:31:31 . 2009-11-10 06:31:31 10 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\run.log.vir
2002-12-31 12:00:00 . 2002-12-31 12:00:00 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir
2002-12-31 12:00:00 . 2002-12-31 12:00:00 61,952 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir

GOORED LOG:
GooredFix by jpshortstuff (09.11.09.1)
Log created at 14:15 on 14/11/2009 (Administrator)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{1A9570E9-41F9-4939-A640-87912928343D} -> Success!
Deleting C:\Documents and Settings\Administrator\Local Settings\Application Data\{1A9570E9-41F9-4939-A640-87912928343D} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:52 22/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\mstsc.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-10 07:17 . 2009-11-10 07:22 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-11-10 06:59 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 06:59 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 06:51 . 2009-11-10 07:09 -------- d-----w- c:\program files\trend micro
2009-11-10 06:51 . 2009-11-10 06:51 -------- d-----w- C:\rsit
2009-11-10 06:44 . 2009-11-10 06:44 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-10 06:40 . 2009-11-10 06:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-10 06:31 . 2009-11-10 07:16 0 ----a-r- c:\windows\win32k.sys
2009-11-10 06:31 . 2009-11-10 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\9bee7c1
2009-11-09 13:43 . 2009-11-10 01:33 -------- d-----w- c:\program files\Steam
2009-11-06 01:57 . 2009-11-06 01:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\MessengerDiscovery 2
2009-11-06 01:38 . 2009-11-10 06:56 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-11-06 01:37 . 2009-11-06 01:37 -------- d-----w- c:\program files\Microsoft
2009-11-06 01:37 . 2009-11-06 01:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-06 01:35 . 2009-11-06 01:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-29 07:49 . 2009-10-29 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-29 07:48 . 2009-10-29 07:48 1961720 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-26 06:15 . 2009-11-10 05:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-10-26 06:14 . 2009-10-26 06:14 -------- d-----w- c:\program files\VideoLAN
2009-10-26 01:35 . 2009-10-26 01:35 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-23 16:39 . 2009-10-23 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Megaupload
2009-10-23 14:46 . 2009-10-23 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 14:46 . 2009-10-23 14:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 14:21 . 2009-10-23 14:21 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-10-23 14:08 . 2009-10-23 14:09 -------- dc-h--w- c:\windows\ie8
2009-10-23 11:18 . 2009-11-01 11:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-10-23 11:18 . 2009-10-23 11:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-10-23 11:16 . 2009-10-25 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-23 10:59 . 2009-10-23 10:59 -------- d-----w- c:\program files\Megaupload
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-23 10:57 . 2009-11-10 07:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-23 10:53 . 2009-10-23 10:53 -------- d-----w- c:\program files\uTorrent
2009-10-23 10:52 . 2009-11-10 02:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-23 10:44 . 2009-10-26 07:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-23 10:40 . 2006-10-26 09:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\MSBuild
2009-10-23 10:38 . 2009-10-23 10:38 -------- d-----w- c:\program files\Microsoft.NET
2009-10-23 10:37 . 2009-10-23 10:37 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-23 10:36 . 2009-10-23 10:39 -------- d-----w- c:\windows\SHELLNEW
2009-10-23 10:36 . 2009-10-23 10:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2009-10-23 10:36 . 2009-10-23 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-23 10:35 . 2009-10-23 10:35 -------- d-----r- C:\MSOCache
2009-10-23 08:32 . 2009-10-23 08:32 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-23 07:50 . 2002-12-31 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-23 06:29 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\drivers\umdf
2009-10-23 06:21 . 2004-08-03 14:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-23 06:21 . 2004-08-03 13:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-10-23 06:21 . 2004-08-03 13:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-23 06:19 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 05:45 . 2009-10-23 05:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-10-23 05:17 . 2009-11-01 09:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-10-23 05:17 . 2009-10-23 05:17 -------- d-----w- c:\program files\Ventrilo
2009-10-23 05:15 . 2009-10-23 05:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-23 05:03 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-10-23 05:03 . 2001-08-17 13:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2009-10-23 05:02 . 2004-08-03 14:56 74240 ----a-w- c:\windows\system32\usbui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 07:52 . 2009-10-22 19:24 16608 ----a-w- c:\windows\gdrv.sys
2009-11-07 07:08 . 2009-10-22 19:48 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-06 02:17 . 2009-10-22 19:07 -------- d-----w- c:\program files\Unlocker
2009-11-06 01:36 . 2009-10-23 04:23 -------- d-----w- c:\program files\Windows Live
2009-10-24 10:01 . 2009-10-22 19:10 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec Client Security
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-23 14:21 . 2009-10-22 19:20 40 ----a-w- c:\windows\system32\profile.dat
2009-10-23 11:16 . 2009-10-22 20:03 75032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 10:59 . 2009-10-22 19:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 10:52 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-23 05:17 . 2009-10-22 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-10-23 05:01 . 2009-10-22 19:08 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-23 04:49 . 2009-10-22 20:10 -------- d-----w- c:\program files\Winamp
2009-10-23 04:25 . 2009-10-23 04:23 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iTunes
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iPod
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\Bonjour
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Apple Software Update
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Common Files\Apple
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-22 19:58 . 2009-10-22 19:52 -------- d-----w- c:\program files\ATI Technologies
2009-10-22 19:56 . 2009-10-22 19:56 9158 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-10-22 19:55 . 2009-10-22 19:55 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-10-22 19:52 . 2009-10-22 19:52 0 ----a-w- c:\windows\nsreg.dat
2009-10-22 19:49 . 2009-10-22 19:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 19:44 . 2009-10-22 19:37 -------- d-----w- c:\program files\Creative
2009-10-22 19:42 . 2009-10-22 19:42 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-22 19:42 . 2009-10-22 19:42 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2009-10-22 19:38 . 2009-10-22 19:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-22 19:31 . 2009-10-22 19:29 -------- d-----w- c:\program files\Realtek
2009-10-22 19:31 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-10-22 19:29 . 2009-10-22 19:29 315392 ----a-w- c:\windows\HideWin.exe
2009-10-22 19:26 . 2009-10-22 19:26 -------- d-----w- c:\program files\Intel
2009-10-22 19:25 . 2009-10-22 19:25 -------- d-----w- c:\program files\GIGABYTE
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Nero
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Ahead
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\7-Zip
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Real Alternative
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\Media Player Classic
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-22 19:17 . 2009-10-22 19:17 2232 ----a-w- c:\windows\java\Packages\Data\XFXJZL3H.DAT
2009-10-22 19:17 . 2009-10-22 19:17 155995 ----a-w- c:\windows\java\Packages\JXZHJVNN.ZIP
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\IYRBJXV5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZXN7XJTF.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZFRHB9J3.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\EV7HBBZ5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\3Z9BJX71.DAT
2009-10-22 19:08 . 2009-10-22 19:08 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Desktop
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Microsoft PowerToys
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\HashTab Shell Extension
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\bu5ter69@hotmail.com\\counter-strike\\hl.exe"=

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [10/23/2009 6:25 AM 80392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-179605362-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-23 11:18]

2009-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-179605362-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-23 11:18]

2009-10-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-10-22 07:32]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\97mip8de.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/|http://www.allkpop.com/|http://seoulbeats.com/
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 18:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-179605362-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,f0,3e,7f,57,39,04,40,b0,a8,ff,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,f0,3e,7f,57,39,04,40,b0,a8,ff,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-11-10 18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 07:56

Pre-Run: 39,316,762,624 bytes free
Post-Run: 41,844,879,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1023623514702D0FBB718B6C6CDC6B2E

Edited by CatByte, 13 November 2009 - 09:24 PM.


#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 November 2009 - 10:26 PM

Hi,

I'd like you to delete the copy of ComboFix from your desktop.

Download a fresh copy from one of the following links and run it. Be sure to disable your security programs.

Post the resulting log.

Link 1
Link 2

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 Icoris

Icoris

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 14 November 2009 - 03:42 AM

ComboFix 09-11-14.01 - Administrator 11/14/2009 20:34.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2955 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :P
c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\mstsc.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-12 10:25 . 2009-11-12 12:27 120 ----a-w- c:\windows\Rmatanonu.dat
2009-11-12 10:25 . 2009-11-12 10:25 0 ----a-w- c:\windows\Irediriqurejada.bin
2009-11-10 08:05 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 08:05 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 07:17 . 2009-11-10 07:22 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-11-10 06:51 . 2009-11-14 03:20 -------- d-----w- c:\program files\trend micro
2009-11-10 06:51 . 2009-11-10 06:51 -------- d-----w- C:\rsit
2009-11-10 06:44 . 2009-11-10 06:44 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-10 06:40 . 2009-11-10 06:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-10 06:31 . 2009-11-10 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\9bee7c1
2009-11-09 13:43 . 2009-11-10 09:01 -------- d-----w- c:\program files\Steam
2009-11-06 01:57 . 2009-11-06 01:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\MessengerDiscovery 2
2009-11-06 01:38 . 2009-11-14 08:56 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-11-06 01:37 . 2009-11-06 01:37 -------- d-----w- c:\program files\Microsoft
2009-11-06 01:37 . 2009-11-06 01:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-06 01:35 . 2009-11-06 01:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-29 07:49 . 2009-10-29 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-29 07:48 . 2009-10-29 07:48 1961720 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-26 06:15 . 2009-11-14 09:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-10-26 06:14 . 2009-10-26 06:14 -------- d-----w- c:\program files\VideoLAN
2009-10-26 01:35 . 2009-10-26 01:35 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-23 16:39 . 2009-10-23 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Megaupload
2009-10-23 14:46 . 2009-11-10 08:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 14:46 . 2009-11-10 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 14:21 . 2009-10-23 14:21 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-10-23 14:08 . 2009-10-23 14:09 -------- dc-h--w- c:\windows\ie8
2009-10-23 11:18 . 2009-11-12 03:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-10-23 11:18 . 2009-10-23 11:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-10-23 11:16 . 2009-10-25 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-23 10:59 . 2009-10-23 10:59 -------- d-----w- c:\program files\Megaupload
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-23 10:57 . 2009-11-10 08:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-23 10:53 . 2009-10-23 10:53 -------- d-----w- c:\program files\uTorrent
2009-10-23 10:52 . 2009-11-10 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-23 10:44 . 2009-10-26 07:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-23 10:40 . 2006-10-26 09:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\MSBuild
2009-10-23 10:38 . 2009-10-23 10:38 -------- d-----w- c:\program files\Microsoft.NET
2009-10-23 10:37 . 2009-10-23 10:37 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-23 10:36 . 2009-10-23 10:39 -------- d-----w- c:\windows\SHELLNEW
2009-10-23 10:36 . 2009-10-23 10:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2009-10-23 10:36 . 2009-10-23 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-23 10:35 . 2009-10-23 10:35 -------- d-----r- C:\MSOCache
2009-10-23 08:32 . 2009-10-23 08:32 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-23 07:50 . 2002-12-31 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-23 06:29 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\drivers\umdf
2009-10-23 06:21 . 2004-08-03 14:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-23 06:21 . 2004-08-03 13:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-10-23 06:21 . 2004-08-03 13:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-23 06:19 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 05:45 . 2009-10-23 05:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-10-23 05:17 . 2009-11-01 09:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-10-23 05:17 . 2009-10-23 05:17 -------- d-----w- c:\program files\Ventrilo
2009-10-23 05:15 . 2009-10-23 05:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-23 05:03 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-10-23 05:03 . 2001-08-17 13:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2009-10-23 05:02 . 2004-08-03 14:56 74240 ----a-w- c:\windows\system32\usbui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 09:38 . 2009-10-22 19:24 16608 ----a-w- c:\windows\gdrv.sys
2009-11-14 03:31 . 2009-10-22 19:48 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-11 02:16 . 2009-10-22 20:03 75032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 02:17 . 2009-10-22 19:07 -------- d-----w- c:\program files\Unlocker
2009-11-06 01:36 . 2009-10-23 04:23 -------- d-----w- c:\program files\Windows Live
2009-10-24 10:01 . 2009-10-22 19:10 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec Client Security
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-23 14:21 . 2009-10-22 19:20 40 ----a-w- c:\windows\system32\profile.dat
2009-10-23 10:59 . 2009-10-22 19:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 10:52 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-23 05:17 . 2009-10-22 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-10-23 05:01 . 2009-10-22 19:08 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-23 04:49 . 2009-10-22 20:10 -------- d-----w- c:\program files\Winamp
2009-10-23 04:25 . 2009-10-23 04:23 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iTunes
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iPod
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\Bonjour
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Apple Software Update
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Common Files\Apple
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-22 19:58 . 2009-10-22 19:52 -------- d-----w- c:\program files\ATI Technologies
2009-10-22 19:56 . 2009-10-22 19:56 9158 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-10-22 19:55 . 2009-10-22 19:55 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-10-22 19:52 . 2009-10-22 19:52 0 ----a-w- c:\windows\nsreg.dat
2009-10-22 19:49 . 2009-10-22 19:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 19:44 . 2009-10-22 19:37 -------- d-----w- c:\program files\Creative
2009-10-22 19:42 . 2009-10-22 19:42 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-22 19:42 . 2009-10-22 19:42 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2009-10-22 19:38 . 2009-10-22 19:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-22 19:31 . 2009-10-22 19:29 -------- d-----w- c:\program files\Realtek
2009-10-22 19:31 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-10-22 19:29 . 2009-10-22 19:29 315392 ----a-w- c:\windows\HideWin.exe
2009-10-22 19:26 . 2009-10-22 19:26 -------- d-----w- c:\program files\Intel
2009-10-22 19:25 . 2009-10-22 19:25 -------- d-----w- c:\program files\GIGABYTE
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Nero
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Ahead
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\7-Zip
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Real Alternative
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\Media Player Classic
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-22 19:17 . 2009-10-22 19:17 2232 ----a-w- c:\windows\java\Packages\Data\XFXJZL3H.DAT
2009-10-22 19:17 . 2009-10-22 19:17 155995 ----a-w- c:\windows\java\Packages\JXZHJVNN.ZIP
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\IYRBJXV5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZXN7XJTF.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZFRHB9J3.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\EV7HBBZ5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\3Z9BJX71.DAT
2009-10-22 19:08 . 2009-10-22 19:08 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Desktop
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Microsoft PowerToys
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\HashTab Shell Extension
.

((((((((((((((((((((((((((((( SnapShot@2009-11-10_07.53.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 09:38 . 2009-11-14 09:38 16384 c:\windows\Temp\Perflib_Perfdata_62c.dat
+ 2009-11-10 06:40 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-10 06:40 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-10 07:57 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-23 04:55 . 2009-11-11 02:15 269392 c:\windows\system32\FNTCACHE.DAT
- 2009-10-23 04:55 . 2009-10-23 14:06 269392 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^lyesys32.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\lyesys32.exe
backup=c:\windows\pss\lyesys32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\bu5ter69@hotmail.com\\counter-strike\\hl.exe"=

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [10/23/2009 6:25 AM 80392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-179605362-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-23 11:18]

2009-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-179605362-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-23 11:18]

2009-10-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-10-22 07:32]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\97mip8de.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/|http://www.allkpop.com/|http://seoulbeats.com/
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 20:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-179605362-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,f0,3e,7f,57,39,04,40,b0,a8,ff,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,f0,3e,7f,57,39,04,40,b0,a8,ff,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3556)
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-11-14 20:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-14 09:40
ComboFix2.txt 2009-11-10 07:56

Pre-Run: 36,670,382,080 bytes free
Post-Run: 36,670,136,320 bytes free

- - End Of File - - 88F573D34959A54CC1FF4E45F772441B

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 14 November 2009 - 07:40 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/hxxp_67_201_36_16_nolink_html_pop_up_virus_t108253.html&view=findpost&p=610596#entry610596

Collect::
c:\windows\Rmatanonu.dat

File::
c:\windows\Irediriqurejada.bin

Folder::
c:\documents and settings\All Users\Application Data\9bee7c1

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *calc*
    *mstsc*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 Icoris

Icoris

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 14 November 2009 - 09:47 AM

Since before the steps, that first time u've instructed me to run combofix, there's been no signs of popups/redirects (as of yet), and im able to run windows in safe mode.

I'll keep updating this post as im doing these steps, some things: in the code of CFScript, you put the link to this thread, am i spose to copy that? When I ran combofix with the script, there was an update and i chose to update, will it affect the script and will i have to run it again? Anyway heres the log:


EDIT: MBAM quickscan showed nothing.
EDIT2: Currently doing the Kaspersky scan, taking years to update, will post log when its done.
ComboFix 09-11-14.03 - Administrator 11/15/2009 2:40.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2791 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\mstsc.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 10:21 . 2009-11-14 10:21 -------- d-----w- c:\program files\Microsoft
2009-11-14 10:21 . 2009-11-14 10:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-12 10:25 . 2009-11-12 12:27 120 ----a-w- c:\windows\Rmatanonu.dat
2009-11-12 10:25 . 2009-11-12 10:25 0 ----a-w- c:\windows\Irediriqurejada.bin
2009-11-10 08:05 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 08:05 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 07:17 . 2009-11-10 07:22 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-11-10 06:51 . 2009-11-14 03:20 -------- d-----w- c:\program files\trend micro
2009-11-10 06:51 . 2009-11-10 06:51 -------- d-----w- C:\rsit
2009-11-10 06:44 . 2009-11-10 06:44 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-10 06:40 . 2009-11-10 06:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-10 06:31 . 2009-11-10 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\9bee7c1
2009-11-09 13:43 . 2009-11-10 09:01 -------- d-----w- c:\program files\Steam
2009-11-06 01:57 . 2009-11-06 01:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\MessengerDiscovery 2
2009-11-06 01:38 . 2009-11-14 10:25 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-11-06 01:35 . 2009-11-06 01:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-29 07:49 . 2009-10-29 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-29 07:48 . 2009-10-29 07:48 1961720 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-26 06:15 . 2009-11-14 13:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-10-26 06:14 . 2009-10-26 06:14 -------- d-----w- c:\program files\VideoLAN
2009-10-26 01:35 . 2009-10-26 01:35 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-23 16:39 . 2009-10-23 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Megaupload
2009-10-23 14:46 . 2009-11-10 08:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 14:46 . 2009-11-10 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 14:21 . 2009-10-23 14:21 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-10-23 14:08 . 2009-10-23 14:09 -------- dc-h--w- c:\windows\ie8
2009-10-23 11:18 . 2009-11-12 03:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-10-23 11:18 . 2009-10-23 11:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-10-23 11:16 . 2009-10-25 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-23 10:59 . 2009-10-23 10:59 -------- d-----w- c:\program files\Megaupload
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-23 10:57 . 2009-11-10 08:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-23 10:53 . 2009-10-23 10:53 -------- d-----w- c:\program files\uTorrent
2009-10-23 10:52 . 2009-11-10 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-23 10:44 . 2009-10-26 07:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-23 10:40 . 2006-10-26 09:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\MSBuild
2009-10-23 10:38 . 2009-10-23 10:38 -------- d-----w- c:\program files\Microsoft.NET
2009-10-23 10:37 . 2009-10-23 10:37 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-23 10:36 . 2009-10-23 10:39 -------- d-----w- c:\windows\SHELLNEW
2009-10-23 10:36 . 2009-10-23 10:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2009-10-23 10:36 . 2009-10-23 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-23 10:35 . 2009-10-23 10:35 -------- d-----r- C:\MSOCache
2009-10-23 08:32 . 2009-10-23 08:32 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-23 07:50 . 2002-12-31 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-23 06:29 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\drivers\umdf
2009-10-23 06:21 . 2004-08-03 14:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-23 06:21 . 2004-08-03 13:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-10-23 06:21 . 2004-08-03 13:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-23 06:19 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 05:45 . 2009-10-23 05:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-10-23 05:17 . 2009-11-01 09:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-10-23 05:17 . 2009-10-23 05:17 -------- d-----w- c:\program files\Ventrilo
2009-10-23 05:15 . 2009-10-23 05:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-23 05:03 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-10-23 05:03 . 2001-08-17 13:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2009-10-23 05:02 . 2004-08-03 14:56 74240 ----a-w- c:\windows\system32\usbui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 10:21 . 2009-10-23 04:23 -------- d-----w- c:\program files\Windows Live
2009-11-14 10:19 . 2009-10-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-11-14 10:14 . 2009-10-22 19:24 16608 ----a-w- c:\windows\gdrv.sys
2009-11-14 03:31 . 2009-10-22 19:48 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-11 02:16 . 2009-10-22 20:03 75032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 02:17 . 2009-10-22 19:07 -------- d-----w- c:\program files\Unlocker
2009-10-24 10:01 . 2009-10-22 19:10 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec Client Security
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-23 14:21 . 2009-10-22 19:20 40 ----a-w- c:\windows\system32\profile.dat
2009-10-23 10:59 . 2009-10-22 19:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 10:52 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-23 05:17 . 2009-10-22 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-10-23 05:01 . 2009-10-22 19:08 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-23 04:49 . 2009-10-22 20:10 -------- d-----w- c:\program files\Winamp
2009-10-23 04:25 . 2009-10-23 04:23 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iTunes
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iPod
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\Bonjour
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Apple Software Update
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Common Files\Apple
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-22 19:58 . 2009-10-22 19:52 -------- d-----w- c:\program files\ATI Technologies
2009-10-22 19:56 . 2009-10-22 19:56 9158 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-10-22 19:55 . 2009-10-22 19:55 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-10-22 19:52 . 2009-10-22 19:52 0 ----a-w- c:\windows\nsreg.dat
2009-10-22 19:49 . 2009-10-22 19:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 19:44 . 2009-10-22 19:37 -------- d-----w- c:\program files\Creative
2009-10-22 19:42 . 2009-10-22 19:42 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-22 19:42 . 2009-10-22 19:42 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2009-10-22 19:38 . 2009-10-22 19:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-22 19:31 . 2009-10-22 19:29 -------- d-----w- c:\program files\Realtek
2009-10-22 19:31 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-10-22 19:29 . 2009-10-22 19:29 315392 ----a-w- c:\windows\HideWin.exe
2009-10-22 19:26 . 2009-10-22 19:26 -------- d-----w- c:\program files\Intel
2009-10-22 19:25 . 2009-10-22 19:25 -------- d-----w- c:\program files\GIGABYTE
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Nero
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Ahead
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\7-Zip
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Real Alternative
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\Media Player Classic
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-22 19:17 . 2009-10-22 19:17 2232 ----a-w- c:\windows\java\Packages\Data\XFXJZL3H.DAT
2009-10-22 19:17 . 2009-10-22 19:17 155995 ----a-w- c:\windows\java\Packages\JXZHJVNN.ZIP
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\IYRBJXV5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZXN7XJTF.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZFRHB9J3.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\EV7HBBZ5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\3Z9BJX71.DAT
2009-10-22 19:08 . 2009-10-22 19:08 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Desktop
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Microsoft PowerToys
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\HashTab Shell Extension
.

((((((((((((((((((((((((((((( SnapShot@2009-11-10_07.53.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 10:14 . 2009-11-14 10:14 16384 c:\windows\Temp\Perflib_Perfdata_61c.dat
+ 2009-11-10 06:40 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-10 06:40 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-14 10:21 . 2009-11-14 10:21 27136 c:\windows\Installer\2fe68.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 83456 c:\windows\Installer\2fe4c.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 58880 c:\windows\Installer\2fe45.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
- 2009-11-06 01:37 . 2009-11-06 01:37 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2009-11-14 10:21 . 2009-11-14 10:21 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
- 2009-11-06 01:37 . 2009-11-06 01:37 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
- 2006-12-01 12:54 . 2006-12-01 12:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-01 12:54 . 2006-12-01 12:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
- 2006-12-01 12:54 . 2006-12-01 12:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
- 2009-10-23 04:55 . 2009-10-23 14:06 269392 c:\windows\system32\FNTCACHE.DAT
+ 2009-10-23 04:55 . 2009-11-11 02:15 269392 c:\windows\system32\FNTCACHE.DAT
+ 2009-11-14 10:21 . 2009-11-14 10:21 430080 c:\windows\Installer\2fe77.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 155648 c:\windows\Installer\2fe6f.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 140288 c:\windows\Installer\2fe61.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 202752 c:\windows\Installer\2fe5a.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 152576 c:\windows\Installer\2fe53.msi
+ 2009-11-14 10:20 . 2009-11-14 10:20 107008 c:\windows\Installer\2fe3e.msi
+ 2009-11-14 10:12 . 2009-11-14 10:12 301056 c:\windows\Installer\19dc3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^lyesys32.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\lyesys32.exe
backup=c:\windows\pss\lyesys32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\bu5ter69@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [10/23/2009 6:25 AM 80392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\97mip8de.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/|http://www.allkpop.com/|http://seoulbeats.com/
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 02:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [6848]
? [2908]
? [5324]
? [14764]
? [8232]
? [11168]
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-179605362-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,f0,3e,7f,57,39,04,40,b0,a8,ff,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,f0,3e,7f,57,39,04,40,b0,a8,ff,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(80300)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-15 02:44
ComboFix-quarantined-files.txt 2009-11-14 15:43
ComboFix2.txt 2009-11-14 09:40
ComboFix3.txt 2009-11-10 07:56

Pre-Run: 38,219,317,248 bytes free
Post-Run: 38,218,551,296 bytes free

- - End Of File - - 617EF5E7DC63F1C8FE71B1DDCE452C63

SYSTEMLOOK LOG:
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 02:47 on 15/11/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "*calc*"
C:\Documents and Settings\Administrator\My Documents\UNI\SEM2 - '09\QMB - ECON1203\Computing Exercises\binomial calcuation.xls --a--- 13824 bytes [17:00 22/10/2009] [12:51 05/10/2009] 550BD9AD8725863BAD569AE237E36244
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Calculator.lnk --a--- 1498 bytes [19:08 22/10/2009] [19:08 22/10/2009] 627DE13292253A8F39F0461B31F203E1
C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft PowerToys\Power Calculator.lnk --a--- 944 bytes [19:08 22/10/2009] [19:08 22/10/2009] 93376ABD2D1294E2C1E12DF63FE428AF
C:\Program Files\Common Files\Apple\Mobile Device Support\etc\zoneinfo\Asia\Calcutta --a--- 109 bytes [06:49 10/09/2008] [06:49 10/09/2008] 131B24E6AE1AA244BBCFC2C81EF94359
C:\Program Files\Microsoft PowerToys\PowerCalc.exe --a--- 216576 bytes [19:07 22/10/2009] [07:30 19/03/2002] 003F7687821BD66D28AD573C52182F6F
C:\WINDOWS\Help\calc.chm --a--- 27222 bytes [19:07 22/10/2009] [12:00 31/12/2002] E4F9F02B5B89A06CCD4E9A32C43CAE7F
C:\WINDOWS\Help\calc.hlp --a--- 32195 bytes [19:07 22/10/2009] [12:00 31/12/2002] 34CD11873C820D318535D6173C549C33
C:\WINDOWS\Help\calcpt.chm --a--- 15344 bytes [12:00 31/12/2002] [12:00 31/12/2002] 21A4259333AB858CF6135146BEBC0C4B
C:\WINDOWS\system32\calc.exe --a--- 946448 bytes [19:07 22/10/2009] [12:00 31/12/2002] 006728285A531498449FCB9B4AC8814E

Searching for "*mstsc*"
C:\WINDOWS\Help\mstsc.chm --a--- 92932 bytes [12:00 31/12/2002] [12:00 31/12/2002] AADCDE3C6FC64343A930685A58FA42E3
C:\WINDOWS\system32\mstsc.exe --a--- 420352 bytes [19:07 22/10/2009] [12:00 31/12/2002] A595F138CE512895204DDC6723F0BB4A
C:\WINDOWS\system32\mstscax.dll --a--- 753664 bytes [19:07 22/10/2009] [12:00 31/12/2002] C0DE461EBD54C061952563D95596CF68

-=End Of File=-

Edited by Icoris, 14 November 2009 - 10:40 AM.


#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 14 November 2009 - 10:50 AM

Hi,

The script didn't work for some reason.

You have to include everything inside the codebox includeing the link, but not the word "code". It's OK to allow ComboFix to update itself.

Let's try it again.

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/hxxp_67_201_36_16_nolink_html_pop_up_virus_t108253.html

Collect::
c:\windows\Rmatanonu.dat

File::
c:\windows\Irediriqurejada.bin

Folder::
c:\documents and settings\All Users\Application Data\9bee7c1

SRPeek::
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\mstsc.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NOTE:

Do you have access to another computer with the exact same operating system as yourself?
You have a couple of infected files but there are no replacements on your system. Let me know.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#9 Icoris

Icoris

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 14 November 2009 - 09:42 PM

About the replacement files, i have a half installed windows (installed it by accident) on another drive, so that might work, if those arent infected lol.


COMBOLOG:
ComboFix 09-11-15.01 - Administrator 11/15/2009 14:33.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2842 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\Irediriqurejada.bin"

file zipped: c:\windows\Rmatanonu.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\9bee7c1
c:\windows\Irediriqurejada.bin
c:\windows\msacm32.drv
c:\windows\rasqervy.dll
c:\windows\Rmatanonu.dat
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll
c:\windows\wuasirvy.dll

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\mstsc.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-14 16:23 . 2009-11-15 03:38 18432 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca203219.exe
2009-11-14 16:23 . 2009-11-14 16:23 104960 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca20321.dll
2009-11-14 15:57 . 2009-11-14 15:57 -------- d-----w- c:\windows\Sun
2009-11-14 15:56 . 2009-11-14 15:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-14 15:56 . 2009-11-14 15:56 -------- d-----w- c:\program files\Java
2009-11-14 15:55 . 2009-11-14 15:55 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-14 10:21 . 2009-11-14 10:21 -------- d-----w- c:\program files\Microsoft
2009-11-14 10:21 . 2009-11-14 10:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-10 08:05 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 08:05 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 07:17 . 2009-11-10 07:22 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-11-10 06:51 . 2009-11-14 03:20 -------- d-----w- c:\program files\trend micro
2009-11-10 06:51 . 2009-11-10 06:51 -------- d-----w- C:\rsit
2009-11-10 06:44 . 2009-11-10 06:44 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-10 06:40 . 2009-11-10 06:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 13:43 . 2009-11-10 09:01 -------- d-----w- c:\program files\Steam
2009-11-06 01:57 . 2009-11-06 01:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\MessengerDiscovery 2
2009-11-06 01:38 . 2009-11-14 16:42 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-11-06 01:35 . 2009-11-06 01:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-29 07:49 . 2009-10-29 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-29 07:48 . 2009-10-29 07:48 1961720 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-26 06:15 . 2009-11-14 13:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-10-26 06:14 . 2009-10-26 06:14 -------- d-----w- c:\program files\VideoLAN
2009-10-26 01:35 . 2009-10-26 01:35 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-23 16:39 . 2009-10-23 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Megaupload
2009-10-23 14:46 . 2009-11-10 08:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 14:46 . 2009-11-10 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 14:21 . 2009-10-23 14:21 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-10-23 14:08 . 2009-10-23 14:09 -------- dc-h--w- c:\windows\ie8
2009-10-23 11:18 . 2009-11-12 03:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-10-23 11:18 . 2009-10-23 11:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-10-23 11:16 . 2009-10-25 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-23 10:59 . 2009-10-23 10:59 -------- d-----w- c:\program files\Megaupload
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-23 10:57 . 2009-11-10 08:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-23 10:53 . 2009-10-23 10:53 -------- d-----w- c:\program files\uTorrent
2009-10-23 10:52 . 2009-11-14 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-23 10:44 . 2009-10-26 07:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-23 10:40 . 2006-10-26 09:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\MSBuild
2009-10-23 10:38 . 2009-10-23 10:38 -------- d-----w- c:\program files\Microsoft.NET
2009-10-23 10:37 . 2009-10-23 10:37 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-23 10:36 . 2009-10-23 10:39 -------- d-----w- c:\windows\SHELLNEW
2009-10-23 10:36 . 2009-10-23 10:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2009-10-23 10:36 . 2009-10-23 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-23 10:35 . 2009-10-23 10:35 -------- d-----r- C:\MSOCache
2009-10-23 08:32 . 2009-10-23 08:32 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-23 07:50 . 2002-12-31 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-23 06:29 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\drivers\umdf
2009-10-23 06:21 . 2004-08-03 14:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-23 06:21 . 2004-08-03 13:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-10-23 06:21 . 2004-08-03 13:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-23 06:19 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 05:45 . 2009-10-23 05:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-10-23 05:17 . 2009-11-01 09:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-10-23 05:17 . 2009-10-23 05:17 -------- d-----w- c:\program files\Ventrilo
2009-10-23 05:15 . 2009-10-23 05:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-23 05:03 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-10-23 05:03 . 2001-08-17 13:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2009-10-23 05:02 . 2004-08-03 14:56 74240 ----a-w- c:\windows\system32\usbui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 03:37 . 2009-10-22 19:24 16608 ----a-w- c:\windows\gdrv.sys
2009-11-14 16:01 . 2009-10-22 20:03 75808 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-14 10:21 . 2009-10-23 04:23 -------- d-----w- c:\program files\Windows Live
2009-11-14 10:19 . 2009-10-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-11-14 03:31 . 2009-10-22 19:48 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-06 02:17 . 2009-10-22 19:07 -------- d-----w- c:\program files\Unlocker
2009-10-24 10:01 . 2009-10-22 19:10 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec Client Security
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-23 14:21 . 2009-10-22 19:20 40 ----a-w- c:\windows\system32\profile.dat
2009-10-23 10:59 . 2009-10-22 19:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 10:52 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-23 05:17 . 2009-10-22 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-10-23 05:01 . 2009-10-22 19:08 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-23 04:49 . 2009-10-22 20:10 -------- d-----w- c:\program files\Winamp
2009-10-23 04:25 . 2009-10-23 04:23 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iTunes
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iPod
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\Bonjour
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Apple Software Update
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Common Files\Apple
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-22 19:58 . 2009-10-22 19:52 -------- d-----w- c:\program files\ATI Technologies
2009-10-22 19:56 . 2009-10-22 19:56 9158 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-10-22 19:55 . 2009-10-22 19:55 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-10-22 19:52 . 2009-10-22 19:52 0 ----a-w- c:\windows\nsreg.dat
2009-10-22 19:49 . 2009-10-22 19:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 19:44 . 2009-10-22 19:37 -------- d-----w- c:\program files\Creative
2009-10-22 19:42 . 2009-10-22 19:42 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-22 19:42 . 2009-10-22 19:42 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2009-10-22 19:38 . 2009-10-22 19:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-22 19:31 . 2009-10-22 19:29 -------- d-----w- c:\program files\Realtek
2009-10-22 19:31 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-10-22 19:29 . 2009-10-22 19:29 315392 ----a-w- c:\windows\HideWin.exe
2009-10-22 19:26 . 2009-10-22 19:26 -------- d-----w- c:\program files\Intel
2009-10-22 19:25 . 2009-10-22 19:25 -------- d-----w- c:\program files\GIGABYTE
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Nero
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Ahead
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\7-Zip
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Real Alternative
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\Media Player Classic
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-22 19:17 . 2009-10-22 19:17 2232 ----a-w- c:\windows\java\Packages\Data\XFXJZL3H.DAT
2009-10-22 19:17 . 2009-10-22 19:17 155995 ----a-w- c:\windows\java\Packages\JXZHJVNN.ZIP
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\IYRBJXV5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZXN7XJTF.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZFRHB9J3.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\EV7HBBZ5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\3Z9BJX71.DAT
2009-10-22 19:08 . 2009-10-22 19:08 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Desktop
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Microsoft PowerToys
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\HashTab Shell Extension
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
((((((((((((((((((((((((((((( SnapShot@2009-11-10_07.53.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 03:37 . 2009-11-15 03:37 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
+ 2009-11-10 06:40 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-10 06:40 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-14 10:21 . 2009-11-14 10:21 27136 c:\windows\Installer\2fe68.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 83456 c:\windows\Installer\2fe4c.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 58880 c:\windows\Installer\2fe45.msi
- 2009-11-06 01:37 . 2009-11-06 01:37 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2009-11-14 10:21 . 2009-11-14 10:21 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2009-11-14 10:21 . 2009-11-14 10:21 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
- 2009-11-06 01:37 . 2009-11-06 01:37 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
- 2006-12-01 12:54 . 2006-12-01 12:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-01 12:54 . 2006-12-01 12:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
- 2006-12-01 12:54 . 2006-12-01 12:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2009-11-14 15:56 . 2009-11-14 15:56 149280 c:\windows\system32\javaws.exe
+ 2009-11-14 15:56 . 2009-11-14 15:56 145184 c:\windows\system32\javaw.exe
+ 2009-11-14 15:56 . 2009-11-14 15:56 145184 c:\windows\system32\java.exe
+ 2009-10-23 04:55 . 2009-11-15 03:24 272576 c:\windows\system32\FNTCACHE.DAT
+ 2009-11-14 10:21 . 2009-11-14 10:21 430080 c:\windows\Installer\2fe77.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 155648 c:\windows\Installer\2fe6f.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 140288 c:\windows\Installer\2fe61.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 202752 c:\windows\Installer\2fe5a.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 152576 c:\windows\Installer\2fe53.msi
+ 2009-11-14 10:20 . 2009-11-14 10:20 107008 c:\windows\Installer\2fe3e.msi
+ 2009-11-14 10:12 . 2009-11-14 10:12 301056 c:\windows\Installer\19dc3.msi
+ 2009-11-14 15:56 . 2009-11-14 15:56 537600 c:\windows\Installer\1390c27.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca203219.exe" [2009-11-15 18432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-14 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=c:\docume~1\ADMINI~1\APPLIC~1\MACROM~1\Common\d3ca20321.dll
"mixer1"=c:\docume~1\ADMINI~1\APPLIC~1\MACROM~1\Common\d3ca20321.dll
"wave1"=c:\docume~1\ADMINI~1\APPLIC~1\MACROM~1\Common\d3ca20321.dll
"aux1"=c:\docume~1\ADMINI~1\APPLIC~1\MACROM~1\Common\d3ca20321.dll
"midi2"=c:\docume~1\ADMINI~1\APPLIC~1\MACROM~1\Common\d3ca20321.dll
"mixer2"=c:\docume~1\ADMINI~1\APPLIC~1\MACROM~1\Common\d3ca20321.dll
"wave2"=c:\docume~1\ADMINI~1\APPLIC~1\MACROM~1\Common\d3ca20321.dll
"aux2"=c:\docume~1\ADMINI~1\APPLIC~1\MACROM~1\Common\d3ca20321.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^lyesys32.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\lyesys32.exe
backup=c:\windows\pss\lyesys32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\bu5ter69@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [10/23/2009 6:25 AM 80392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\97mip8de.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/|http://www.allkpop.com/|http://seoulbeats.com/
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rundll32.exe - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 14:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-179605362-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,f0,3e,7f,57,39,04,40,b0,a8,ff,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,f0,3e,7f,57,39,04,40,b0,a8,ff,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3684)
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\Rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-11-15 14:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-15 03:39
ComboFix2.txt 2009-11-14 15:44
ComboFix3.txt 2009-11-14 09:40
ComboFix4.txt 2009-11-10 07:56

Pre-Run: 38,643,593,216 bytes free
Post-Run: 38,705,823,744 bytes free

- - End Of File - - 9BE65D4BBE449AD883454086867EF420

KASPERSKY LOG:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 15, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, November 14, 2009 16:15:57
Records in database: 3208640
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 66265
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 00:42:34


File name / Threat / Threats count
C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache2137662534849341714.tmp Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.

#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 14 November 2009 - 10:35 PM

Hi,

we need to run another CF Script, a hidden infection is uncovered now:

Please do the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/hxxp_67_201_36_16_nolink_html_pop_up_virus_t108253.html&view=findpost&p=610848#entry610848

Collect::
c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca203219.exe
c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca20321.dll
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\lyesys32.exe

File::
c:\windows\pss\lyesys32.exeStartup
C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache2137662534849341714.tmp

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"="wdmaud.drv" 
"mixer1"="wdmaud.drv" 
"wave1"="wdmaud.drv" 
"aux1"="wdmaud.drv" 
"midi2"="wdmaud.drv" 
"mixer2"="wdmaud.drv" 
"wave2"="wdmaud.drv" 
"aux2"="wdmaud.drv" 
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^lyesys32.exe]

RegLock::
[HKEY_USERS\S-1-5-21-436374069-179605362-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#11 Icoris

Icoris

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 15 November 2009 - 01:02 AM

At first I ran combofix, and I got impatient because after 40 minutes it had done nothing, so i closed it and restarted(which was probably incredibly stupid), now I get an error everytime I start up my comp,
cannot find c:/combofix/cf20467.cfxxe, anyway to get rid of this error? i believe i found the registry entry to this file, what should i do. after i restarted and then i ran the combofix scan as normal:.

Combolog:
ComboFix 09-11-15.01 - Administrator 11/15/2009 17:56.5.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2827 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Administrator\Local Settings\temp\jar_cache2137662534849341714.tmp"
"c:\windows\pss\lyesys32.exeStartup"

file zipped: c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca20321.dll
file zipped: c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca203219.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca20321.dll
c:\documents and settings\Administrator\Application Data\Macromedia\Common\d3ca203219.exe
c:\windows\pss\lyesys32.exeStartup

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\mstsc.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-14 15:57 . 2009-11-14 15:57 -------- d-----w- c:\windows\Sun
2009-11-14 15:56 . 2009-11-14 15:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-14 15:56 . 2009-11-14 15:56 -------- d-----w- c:\program files\Java
2009-11-14 15:55 . 2009-11-14 15:55 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-14 10:21 . 2009-11-14 10:21 -------- d-----w- c:\program files\Microsoft
2009-11-14 10:21 . 2009-11-14 10:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-10 08:05 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 08:05 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 07:17 . 2009-11-10 07:22 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-11-10 06:51 . 2009-11-14 03:20 -------- d-----w- c:\program files\trend micro
2009-11-10 06:51 . 2009-11-10 06:51 -------- d-----w- C:\rsit
2009-11-10 06:44 . 2009-11-10 06:44 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-10 06:40 . 2009-11-10 06:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 13:43 . 2009-11-10 09:01 -------- d-----w- c:\program files\Steam
2009-11-06 01:57 . 2009-11-06 01:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\MessengerDiscovery 2
2009-11-06 01:38 . 2009-11-15 03:48 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-11-06 01:35 . 2009-11-06 01:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-29 07:49 . 2009-10-29 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-29 07:48 . 2009-10-29 07:48 1961720 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-26 06:15 . 2009-11-14 13:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-10-26 06:14 . 2009-10-26 06:14 -------- d-----w- c:\program files\VideoLAN
2009-10-26 01:35 . 2009-10-26 01:35 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-23 16:39 . 2009-10-23 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Megaupload
2009-10-23 14:46 . 2009-11-10 08:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 14:46 . 2009-11-10 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 14:21 . 2009-10-23 14:21 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-10-23 14:08 . 2009-10-23 14:09 -------- dc-h--w- c:\windows\ie8
2009-10-23 11:18 . 2009-11-12 03:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-10-23 11:18 . 2009-10-23 11:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-10-23 11:16 . 2009-10-25 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-23 10:59 . 2009-10-23 10:59 -------- d-----w- c:\program files\Megaupload
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-23 10:57 . 2009-11-10 08:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 10:57 . 2009-10-23 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-23 10:53 . 2009-10-23 10:53 -------- d-----w- c:\program files\uTorrent
2009-10-23 10:52 . 2009-11-14 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-10-23 10:50 . 2009-10-23 10:50 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-23 10:44 . 2009-10-26 07:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-23 10:40 . 2006-10-26 09:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-23 10:39 . 2009-10-23 10:39 -------- d-----w- c:\program files\MSBuild
2009-10-23 10:38 . 2009-10-23 10:38 -------- d-----w- c:\program files\Microsoft.NET
2009-10-23 10:37 . 2009-10-23 10:37 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-23 10:36 . 2009-10-23 10:39 -------- d-----w- c:\windows\SHELLNEW
2009-10-23 10:36 . 2009-10-23 10:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2009-10-23 10:36 . 2009-10-23 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-23 10:35 . 2009-10-23 10:35 -------- d-----r- C:\MSOCache
2009-10-23 08:32 . 2009-10-23 08:32 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-23 07:50 . 2002-12-31 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-10-23 06:29 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\drivers\umdf
2009-10-23 06:21 . 2004-08-03 14:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-23 06:21 . 2004-08-03 13:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-10-23 06:21 . 2004-08-03 13:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-23 06:19 . 2009-10-23 07:49 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 05:45 . 2009-10-23 05:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-10-23 05:17 . 2009-11-01 09:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-10-23 05:17 . 2009-10-23 05:17 -------- d-----w- c:\program files\Ventrilo
2009-10-23 05:15 . 2009-10-23 05:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-23 05:03 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-10-23 05:03 . 2001-08-17 13:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2009-10-23 05:02 . 2004-08-03 14:56 74240 ----a-w- c:\windows\system32\usbui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 06:52 . 2009-10-22 19:24 16608 ----a-w- c:\windows\gdrv.sys
2009-11-14 16:01 . 2009-10-22 20:03 75808 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-14 10:21 . 2009-10-23 04:23 -------- d-----w- c:\program files\Windows Live
2009-11-14 10:19 . 2009-10-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-11-14 03:31 . 2009-10-22 19:48 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-06 02:17 . 2009-10-22 19:07 -------- d-----w- c:\program files\Unlocker
2009-10-24 10:01 . 2009-10-22 19:10 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\program files\Symantec Client Security
2009-10-23 14:22 . 2009-10-22 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-23 14:21 . 2009-10-22 19:20 40 ----a-w- c:\windows\system32\profile.dat
2009-10-23 10:59 . 2009-10-22 19:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 10:52 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-23 05:17 . 2009-10-22 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-10-23 05:01 . 2009-10-22 19:08 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-23 04:49 . 2009-10-22 20:10 -------- d-----w- c:\program files\Winamp
2009-10-23 04:25 . 2009-10-23 04:23 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iTunes
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\iPod
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-22 20:23 . 2009-10-22 20:23 -------- d-----w- c:\program files\Bonjour
2009-10-22 20:23 . 2009-10-22 19:17 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Apple Software Update
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\program files\Common Files\Apple
2009-10-22 20:22 . 2009-10-22 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-10-22 20:02 . 2009-10-22 20:02 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-22 19:58 . 2009-10-22 19:52 -------- d-----w- c:\program files\ATI Technologies
2009-10-22 19:56 . 2009-10-22 19:56 9158 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-10-22 19:55 . 2009-10-22 19:55 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-10-22 19:52 . 2009-10-22 19:52 0 ----a-w- c:\windows\nsreg.dat
2009-10-22 19:49 . 2009-10-22 19:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 19:44 . 2009-10-22 19:37 -------- d-----w- c:\program files\Creative
2009-10-22 19:42 . 2009-10-22 19:42 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-22 19:42 . 2009-10-22 19:42 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2009-10-22 19:38 . 2009-10-22 19:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-22 19:31 . 2009-10-22 19:29 -------- d-----w- c:\program files\Realtek
2009-10-22 19:31 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-10-22 19:29 . 2009-10-22 19:29 315392 ----a-w- c:\windows\HideWin.exe
2009-10-22 19:26 . 2009-10-22 19:26 -------- d-----w- c:\program files\Intel
2009-10-22 19:25 . 2009-10-22 19:25 -------- d-----w- c:\program files\GIGABYTE
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Nero
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Common Files\Ahead
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\7-Zip
2009-10-22 19:18 . 2009-10-22 19:18 -------- d-----w- c:\program files\Real Alternative
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\Media Player Classic
2009-10-22 19:17 . 2009-10-22 19:17 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-22 19:17 . 2009-10-22 19:17 2232 ----a-w- c:\windows\java\Packages\Data\XFXJZL3H.DAT
2009-10-22 19:17 . 2009-10-22 19:17 155995 ----a-w- c:\windows\java\Packages\JXZHJVNN.ZIP
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\IYRBJXV5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZXN7XJTF.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\ZFRHB9J3.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\EV7HBBZ5.DAT
2009-10-22 19:17 . 2009-10-22 19:17 2678 ----a-w- c:\windows\java\Packages\Data\3Z9BJX71.DAT
2009-10-22 19:08 . 2009-10-22 19:08 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Desktop
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\Microsoft PowerToys
2009-10-22 19:07 . 2009-10-22 19:07 -------- d-----w- c:\program files\HashTab Shell Extension
.

((((((((((((((((((((((((((((( SnapShot@2009-11-10_07.53.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 06:52 . 2009-11-15 06:52 16384 c:\windows\Temp\Perflib_Perfdata_600.dat
+ 2009-11-10 06:40 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-10 06:40 . 2009-11-10 07:32 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-10 06:40 . 2009-11-14 03:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-14 10:21 . 2009-11-14 10:21 27136 c:\windows\Installer\2fe68.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 83456 c:\windows\Installer\2fe4c.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 58880 c:\windows\Installer\2fe45.msi
- 2009-11-06 01:37 . 2009-11-06 01:37 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2009-11-14 10:21 . 2009-11-14 10:21 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2009-11-14 10:21 . 2009-11-14 10:21 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
- 2009-11-06 01:37 . 2009-11-06 01:37 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
- 2006-12-01 12:54 . 2006-12-01 12:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-01 12:54 . 2006-12-01 12:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
- 2006-12-01 12:54 . 2006-12-01 12:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 11:54 . 2006-12-01 11:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
- 2005-09-22 21:29 . 2005-09-22 21:29 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-22 11:48 . 2005-09-22 11:48 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2009-11-14 15:56 . 2009-11-14 15:56 149280 c:\windows\system32\javaws.exe
+ 2009-11-14 15:56 . 2009-11-14 15:56 145184 c:\windows\system32\javaw.exe
+ 2009-11-14 15:56 . 2009-11-14 15:56 145184 c:\windows\system32\java.exe
+ 2009-10-23 04:55 . 2009-11-15 03:24 272576 c:\windows\system32\FNTCACHE.DAT
+ 2009-11-14 10:21 . 2009-11-14 10:21 430080 c:\windows\Installer\2fe77.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 155648 c:\windows\Installer\2fe6f.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 140288 c:\windows\Installer\2fe61.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 202752 c:\windows\Installer\2fe5a.msi
+ 2009-11-14 10:21 . 2009-11-14 10:21 152576 c:\windows\Installer\2fe53.msi
+ 2009-11-14 10:20 . 2009-11-14 10:20 107008 c:\windows\Installer\2fe3e.msi
+ 2009-11-14 10:12 . 2009-11-14 10:12 301056 c:\windows\Installer\19dc3.msi
+ 2009-11-14 15:56 . 2009-11-14 15:56 537600 c:\windows\Installer\1390c27.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-14 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\bu5ter69@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [10/23/2009 6:25 AM 80392]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\97mip8de.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/|http://www.allkpop.com/|http://seoulbeats.com/
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 17:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-15 17:59
ComboFix-quarantined-files.txt 2009-11-15 06:59
ComboFix2.txt 2009-11-15 03:39
ComboFix3.txt 2009-11-14 15:44
ComboFix4.txt 2009-11-14 09:40
ComboFix5.txt 2009-11-15 06:23

Pre-Run: 38,743,769,088 bytes free
Post-Run: 38,707,105,792 bytes free

- - End Of File - - 5A41A2BFFFD2774FADBCB0736E4ADB04
Upload was successful

Edited by Icoris, 15 November 2009 - 01:11 AM.


#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 15 November 2009 - 07:05 AM

Can you check a couple of things before we continue.

Can you please go into device manager (Start > run > type devmgmt.msc )

advise me if there are any reported errors.

Also check your system sounds and ability to play music as this infection targets the audio devices on the machine.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#13 Icoris

Icoris

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 15 November 2009 - 07:10 AM

I play music practically non-stop, all working as intended, no errors in device management.

#14 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 15 November 2009 - 07:12 AM

Excellent.

Lets continue:

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#15 Icoris

Icoris

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 15 November 2009 - 07:18 AM

Malwarebytes' Anti-Malware 1.41 Database version: 3174 Windows 5.1.2600 Service Pack 2 11/16/2009 12:17:21 AM mbam-log-2009-11-16 (00-17-21).txt Scan type: Quick Scan Objects scanned: 97994 Time elapsed: 1 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) gonna do the kaspersky scan now.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users