Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Worm? Rootkit?


  • This topic is locked This topic is locked
14 replies to this topic

#1 ShadowStorm

ShadowStorm

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 14 November 2009 - 05:26 PM

I was working on some Excel sheets today and all of a sudden I get a pop-up "Warning! Your PC is infected!" etc. I immediately got Malware Bytes and ran a scan.
I saw I had Hijack.WindowsUpdate twice.
I read some of stuff on this forum, I downloaded WUS_Fix.exe, ran it and the scan returned nothing.
Behold 5 minutes later I got the pop-up again, but nothing in the scan. :pullhair:

HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:27 PM, on 11/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\*USER*\Desktop\RootkitRevealer.exe
C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\QLJWPT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QLJWPT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\QLJWPT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9090 bytes

Edited by ShadowStorm, 17 November 2009 - 09:51 PM.

    Advertisements

Register to Remove


#2 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 17 November 2009 - 03:04 PM

Hello and welcome to WTT.

Could you retrieve the Malwarebytes log for me so I can see what it detected and quarantined. Open Malwarebytes and in the Logs tab double-click the log that was ran. The log will be named at the time the scan was completed. Post that in your next reply.

Please also run an rootkit scan, and DDS and provide me with an update of the condition of your system.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.


  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results soon.
  • Follow the instructions that pop up for posting the results and then click Ok.
  • The black and message box window shall then disappear.
  • Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

~Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#3 ShadowStorm

ShadowStorm

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 17 November 2009 - 09:50 PM

MalwareBytes Log
Malwarebytes' Anti-Malware 1.41
Database version: 3167
Windows 5.1.2600 Service Pack 2

11/14/2009 8:44:53 AM
mbam-log-2009-11-14 (08-44-53).txt

Scan type: Quick Scan
Objects scanned: 111812
Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


RootRepeal Log
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/17 22:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2F2E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF827E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7B2F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x827a26a0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x827a2780

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x827a0778

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x827b1da8

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x827cce90

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x827a8768

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xf33c3350

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x82803778

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x827ccf70

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x827a25c0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8279c1d0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x827ccdb0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x827a0848

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x827a2c08

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x827cccc0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x827afb28

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x827a2b48

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x827a2cc8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x827a2a88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xf33c3580

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x827ccbe0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x827a28c8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x827a8838

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x827a29a8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x827a2d88

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x82803838

==EOF==

DDS Log

DDS (Ver_09-10-26.01) - NTFSx86
Run by *USER* at 22:37:20.37 on Tue 11/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.252 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\*USER*\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://optonline.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: %SystemRoot%\system32\PrxerDrv.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258256229375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-13 269648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-2 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-13 19160]
S1 f9281ce;f9281ce;c:\windows\system32\drivers\f9281ce.sys [2009-6-6 0]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\bulk503.sys [2008-1-20 10599]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\iso503.sys [2008-1-20 519936]
S3 rootrepeal[1];rootrepeal[1];\??\c:\windows\system32\drivers\rootrepeal[1].sys --> c:\windows\system32\drivers\rootrepeal[1].sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2009-11-18 02:59:51 0 d-----w- c:\windows\LastGood.Tmp
2009-11-18 02:53:56 0 d-----w- c:\windows\system32\scripting
2009-11-18 02:53:55 0 d-----w- c:\windows\l2schemas
2009-11-18 02:53:54 0 d-----w- c:\windows\system32\en
2009-11-18 02:53:54 0 d-----w- c:\windows\system32\bits
2009-11-18 02:39:49 0 d-----w- c:\windows\EHome
2009-11-18 02:32:53 0 d-sh--w- c:\documents and settings\*USER*\IECompatCache
2009-11-18 02:31:01 0 d-sh--w- c:\documents and settings\*USER*\PrivacIE
2009-11-18 02:21:34 0 d-sh--w- c:\documents and settings\*USER*\IETldCache
2009-11-18 02:03:39 0 dc-h--w- c:\windows\ie8
2009-11-17 01:17:32 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2009-11-17 00:49:56 0 d-----w- c:\windows\system32\XPSViewer
2009-11-17 00:48:23 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-17 00:48:23 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-17 00:48:23 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-17 00:48:23 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-17 00:48:23 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-17 00:48:22 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-17 00:48:22 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-17 00:48:22 0 d-----w- C:\33d2014b20a88cf8d7256893
2009-11-17 00:47:40 0 d-----w- c:\windows\SxsCaPendDel
2009-11-17 00:34:10 0 d-----w- c:\program files\MSXML 6.0
2009-11-15 08:31:07 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-15 08:05:07 0 d-----w- c:\windows\ServicePackFiles
2009-11-15 04:55:51 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-11-15 04:52:48 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-11-15 04:48:30 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-11-15 04:46:53 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-15 04:46:52 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-11-15 04:46:52 1203922 ------w- c:\windows\system32\dllcache\sysmain.sdb
2009-11-15 00:47:18 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-11-15 00:46:38 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-11-15 00:46:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-14 04:10:25 0 d-----w- c:\docume~1\patric~1\applic~1\Malwarebytes
2009-11-14 04:10:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 04:10:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 04:10:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 04:10:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-14 03:54:42 0 d-----w- c:\docume~1\patric~1\applic~1\uTorrent
2009-11-14 01:46:09 0 d-----w- c:\docume~1\patric~1\applic~1\mIRC
2009-11-13 21:26:45 0 d-----w- c:\docume~1\patric~1\applic~1\Tibia
2009-11-07 22:23:45 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-07 22:23:45 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-09 02:00:45 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 07:36:24 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll

============= FINISH: 22:37:52.18 ===============

Attached Files



#4 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 18 November 2009 - 03:11 PM

Thanks for the logs.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#5 ShadowStorm

ShadowStorm

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 19 November 2009 - 02:52 PM

ComboFix 09-11-19.02 - *USER* 11/19/2009 15:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.321 [GMT -5:00]
Running from: c:\documents and settings\*USER*\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\HOLUX
c:\documents and settings\All Users\Start Menu\Programs\HOLUX \GpsViewer.lnk
C:\install.exe
c:\recycler\S-1-5-21-1089551744-1120685985-1162132538-1003
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-19 20:20 . 2009-11-19 20:27 -------- d-----w- c:\windows\ie8updates
2009-11-19 20:11 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-19 20:11 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-19 20:08 . 2009-11-19 20:08 -------- d-----w- c:\windows\LastGood
2009-11-18 03:16 . 2009-11-18 03:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-18 02:53 . 2009-11-18 02:53 -------- d-----w- c:\windows\system32\scripting
2009-11-18 02:53 . 2009-11-18 02:53 -------- d-----w- c:\windows\l2schemas
2009-11-18 02:53 . 2009-11-18 02:53 -------- d-----w- c:\windows\system32\en
2009-11-18 02:53 . 2009-11-18 02:53 -------- d-----w- c:\windows\system32\bits
2009-11-18 02:39 . 2009-11-18 02:39 -------- d-----w- c:\windows\EHome
2009-11-18 02:32 . 2009-11-18 02:32 -------- d-sh--w- c:\documents and settings\*USER*\IECompatCache
2009-11-18 02:31 . 2009-11-18 02:31 -------- d-sh--w- c:\documents and settings\*USER*\PrivacIE
2009-11-18 02:21 . 2009-11-18 02:21 -------- d-sh--w- c:\documents and settings\*USER*\IETldCache
2009-11-18 02:03 . 2009-11-18 02:07 -------- dc-h--w- c:\windows\ie8
2009-11-17 00:49 . 2009-11-17 00:49 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-17 00:49 . 2009-11-17 00:49 -------- d-----w- c:\program files\MSBuild
2009-11-17 00:49 . 2009-11-17 00:49 -------- d-----w- c:\program files\Reference Assemblies
2009-11-17 00:48 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-17 00:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-17 00:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-17 00:48 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-17 00:48 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-17 00:48 . 2009-11-17 00:49 -------- d-----w- C:\33d2014b20a88cf8d7256893
2009-11-17 00:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-17 00:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-17 00:47 . 2009-11-18 00:22 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-17 00:34 . 2009-11-17 00:34 -------- d-----w- c:\program files\MSXML 6.0
2009-11-15 08:31 . 2009-11-15 08:31 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-15 08:05 . 2009-11-18 02:49 -------- d-----w- c:\windows\ServicePackFiles
2009-11-15 04:52 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-11-15 04:48 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-11-15 04:46 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-15 04:46 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-11-15 00:46 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-14 04:10 . 2009-11-14 04:10 -------- d-----w- c:\documents and settings\*USER*\Application Data\Malwarebytes
2009-11-14 04:10 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 04:10 . 2009-11-14 04:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 04:10 . 2009-11-14 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 04:10 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 03:54 . 2009-11-15 17:40 -------- d-----w- c:\documents and settings\*USER*\Application Data\uTorrent
2009-11-14 02:12 . 2009-11-15 17:39 -------- d-----w- c:\documents and settings\*USER*\Application Data\Notepad++
2009-11-14 01:46 . 2009-11-14 03:48 -------- d-----w- c:\documents and settings\*USER*\Application Data\mIRC
2009-11-13 21:26 . 2009-11-13 21:33 -------- d-----w- c:\documents and settings\*USER*\Application Data\Tibia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 20:42 . 2008-03-12 15:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-18 02:57 . 2004-08-07 13:10 82791 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-18 01:00 . 2009-02-25 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-18 00:54 . 2005-04-30 05:19 -------- d-----w- c:\program files\Microsoft Works
2009-11-14 23:17 . 2006-12-25 16:58 -------- d-----w- c:\program files\Trend Micro
2009-10-15 17:44 . 2006-01-31 02:47 -------- d-----w- c:\documents and settings\*USER*\Application Data\U3
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 02:00 . 2009-09-09 02:00 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2009-11-19 20:11 916480 ----a-w- c:\windows\system32\SET2D.tmp
2009-08-29 08:08 . 2009-11-19 20:11 1208832 ----a-w- c:\windows\system32\SET2E.tmp
2009-08-29 08:08 . 2009-11-19 20:11 5940224 ----a-w- c:\windows\system32\SET30.tmp
2009-08-29 08:08 . 2009-11-19 20:11 594432 ----a-w- c:\windows\system32\SET32.tmp
2009-08-29 08:08 . 2009-11-19 20:11 55296 ----a-w- c:\windows\system32\SET31.tmp
2009-08-29 08:08 . 2009-11-19 20:11 1985536 ----a-w- c:\windows\system32\SET35.tmp
2009-08-29 08:08 . 2009-11-19 20:11 11069440 ----a-w- c:\windows\system32\SET37.tmp
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"LightScribeService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/13/2009 11:10 PM 269648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/2/2009 3:18 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 6:15 PM 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 10:18 AM 200192]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/13/2009 11:10 PM 19160]
S1 f9281ce;f9281ce;c:\windows\system32\drivers\f9281ce.sys [6/6/2009 7:20 PM 0]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\bulk503.sys [1/20/2008 12:38 PM 10599]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\iso503.sys [1/20/2008 12:38 PM 519936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://optonline.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\PrxerDrv.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 15:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-501479380-3497460263-1721026964-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-19 15:46
ComboFix-quarantined-files.txt 2009-11-19 20:46

Pre-Run: 14,328,143,872 bytes free
Post-Run: 14,288,171,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 39B8C896473BF5AD5EEA480C65CBE6F2

#6 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 19 November 2009 - 04:21 PM

Hello again.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Driver::
    f9281ce
    File::
    c:\windows\system32\drivers\f9281ce.sys
    RegLock::
    [HKEY_USERS\S-1-5-21-501479380-3497460263-1721026964-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall
--

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case UTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Update and Scan with MalwareBytes Anti-Malware

  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Thanks.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#7 ShadowStorm

ShadowStorm

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 19 November 2009 - 05:54 PM

ComboFix 09-11-19.02 - *USER* 11/19/2009 18:06.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.250 [GMT -5:00]
Running from: c:\documents and settings\*USER*\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\*USER*\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\drivers\f9281ce.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\f9281ce.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_f9281ce


((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-19 21:10 . 2009-11-19 21:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-19 20:20 . 2009-11-19 20:27 -------- d-----w- c:\windows\ie8updates
2009-11-19 20:11 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-19 20:11 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-18 03:16 . 2009-11-18 03:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-18 02:53 . 2009-11-18 02:53 -------- d-----w- c:\windows\system32\scripting
2009-11-18 02:53 . 2009-11-18 02:53 -------- d-----w- c:\windows\l2schemas
2009-11-18 02:53 . 2009-11-18 02:53 -------- d-----w- c:\windows\system32\en
2009-11-18 02:53 . 2009-11-18 02:53 -------- d-----w- c:\windows\system32\bits
2009-11-18 02:39 . 2009-11-18 02:39 -------- d-----w- c:\windows\EHome
2009-11-18 02:32 . 2009-11-18 02:32 -------- d-sh--w- c:\documents and settings\*USER*\IECompatCache
2009-11-18 02:31 . 2009-11-18 02:31 -------- d-sh--w- c:\documents and settings\*USER*\PrivacIE
2009-11-18 02:21 . 2009-11-18 02:21 -------- d-sh--w- c:\documents and settings\*USER*\IETldCache
2009-11-18 02:03 . 2009-11-18 02:07 -------- dc-h--w- c:\windows\ie8
2009-11-17 00:49 . 2009-11-17 00:49 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-17 00:49 . 2009-11-17 00:49 -------- d-----w- c:\program files\MSBuild
2009-11-17 00:49 . 2009-11-17 00:49 -------- d-----w- c:\program files\Reference Assemblies
2009-11-17 00:48 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-17 00:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-17 00:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-17 00:48 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-17 00:48 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-17 00:48 . 2009-11-17 00:49 -------- d-----w- C:\33d2014b20a88cf8d7256893
2009-11-17 00:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-17 00:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-17 00:47 . 2009-11-18 00:22 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-17 00:34 . 2009-11-17 00:34 -------- d-----w- c:\program files\MSXML 6.0
2009-11-15 08:31 . 2009-11-15 08:31 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-15 08:05 . 2009-11-18 02:49 -------- d-----w- c:\windows\ServicePackFiles
2009-11-15 04:52 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-11-15 04:48 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-11-15 04:46 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-15 04:46 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-11-15 00:46 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-14 04:10 . 2009-11-14 04:10 -------- d-----w- c:\documents and settings\*USER*\Application Data\Malwarebytes
2009-11-14 04:10 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 04:10 . 2009-11-14 04:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 04:10 . 2009-11-14 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 04:10 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 03:54 . 2009-11-15 17:40 -------- d-----w- c:\documents and settings\*USER*\Application Data\uTorrent
2009-11-14 02:12 . 2009-11-15 17:39 -------- d-----w- c:\documents and settings\*USER*\Application Data\Notepad++
2009-11-14 01:46 . 2009-11-14 03:48 -------- d-----w- c:\documents and settings\*USER*\Application Data\mIRC
2009-11-13 21:26 . 2009-11-13 21:33 -------- d-----w- c:\documents and settings\*USER*\Application Data\Tibia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 23:30 . 2008-03-12 15:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-18 02:57 . 2004-08-07 13:10 82791 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-18 01:00 . 2009-02-25 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-18 00:54 . 2005-04-30 05:19 -------- d-----w- c:\program files\Microsoft Works
2009-11-14 23:17 . 2006-12-25 16:58 -------- d-----w- c:\program files\Trend Micro
2009-10-15 17:44 . 2006-01-31 02:47 -------- d-----w- c:\documents and settings\*USER*\Application Data\U3
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 02:00 . 2009-09-09 02:00 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-19_20.38.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-07 13:10 . 2009-11-19 20:05 72306 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2009-11-19 23:30 72306 c:\windows\system32\perfc009.dat
+ 2007-08-13 22:54 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 22:54 . 2009-03-08 09:31 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-07 13:10 . 2009-11-19 20:05 444596 c:\windows\system32\perfh009.dat
+ 2004-08-07 13:10 . 2009-11-19 23:30 444596 c:\windows\system32\perfh009.dat
+ 2007-08-13 22:54 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
- 2007-08-13 22:54 . 2009-03-08 09:32 594432 c:\windows\system32\msfeeds.dll
+ 2004-08-04 08:00 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
+ 2004-08-04 08:00 . 2009-08-29 08:08 5940224 c:\windows\system32\mshtml.dll
+ 2007-08-13 22:34 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
+ 2007-08-13 22:54 . 2009-08-29 08:08 11069440 c:\windows\system32\ieframe.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"LightScribeService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/13/2009 11:10 PM 269648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/2/2009 3:18 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 6:15 PM 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 10:18 AM 200192]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/13/2009 11:10 PM 19160]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\bulk503.sys [1/20/2008 12:38 PM 10599]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\iso503.sys [1/20/2008 12:38 PM 519936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://optonline.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\PrxerDrv.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 18:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
.
**************************************************************************
.
Completion time: 2009-11-19 18:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 23:41
ComboFix2.txt 2009-11-19 20:46

Pre-Run: 14,290,239,488 bytes free
Post-Run: 14,165,942,272 bytes free

- - End Of File - - E385802DD450162CA2686A0149FC59C5


Malwarebytes' Anti-Malware 1.41
Database version: 3198
Windows 5.1.2600 Service Pack 3

11/19/2009 6:52:34 PM
mbam-log-2009-11-19 (18-52-34).txt

Scan type: Quick Scan
Objects scanned: 113076
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 19 November 2009 - 06:02 PM

Hello.

Update your Java and run an online scan...

Update Java to Version 6 Update 17

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for Java Runtime Environment (JRE) JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#9 ShadowStorm

ShadowStorm

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 19 November 2009 - 10:14 PM

Eset turned up nothing. DDS (Ver_09-10-26.01) - NTFSx86 Run by *USER* at 22:09:35.82 on Thu 11/19/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.355 [GMT -5:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Microsoft Location Finder\LocationFinder.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\Program Files\Palm\Hotsync.exe C:\WINDOWS\explorer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SoftwareDistribution\Download\da44bd8a36972204aeae8add4cfa373a\update\update.exe C:\Documents and Settings\*USER*\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://optonline.net/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe" uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL LSP: %SystemRoot%\system32\PrxerDrv.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258256229375 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll ============= SERVICES / DRIVERS =============== R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-13 19160] S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\bulk503.sys [2008-1-20 10599] S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\iso503.sys [2008-1-20 519936] S3 rootrepeal[1];rootrepeal[1];\??\c:\windows\system32\drivers\rootrepeal[1].sys --> c:\windows\system32\drivers\rootrepeal[1].sys [?] =============== Created Last 30 ================ 2009-11-20 00:23:26 0 d-----w- c:\program files\ESET 2009-11-20 00:20:23 73728 ----a-w- c:\windows\system32\javacpl.cpl 2009-11-20 00:15:36 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-19 20:20:52 0 d-----w- c:\windows\ie8updates 2009-11-19 20:15:16 0 d-sha-r- C:\cmdcons 2009-11-19 20:13:11 98816 ----a-w- c:\windows\sed.exe 2009-11-19 20:13:11 77312 ----a-w- c:\windows\MBR.exe 2009-11-19 20:13:11 260608 ----a-w- c:\windows\PEV.exe 2009-11-19 20:13:11 161792 ----a-w- c:\windows\SWREG.exe 2009-11-19 20:11:55 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-11-19 20:11:43 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-11-18 02:53:56 0 d-----w- c:\windows\system32\scripting 2009-11-18 02:53:55 0 d-----w- c:\windows\l2schemas 2009-11-18 02:53:54 0 d-----w- c:\windows\system32\en 2009-11-18 02:53:54 0 d-----w- c:\windows\system32\bits 2009-11-18 02:39:49 0 d-----w- c:\windows\EHome 2009-11-18 02:32:53 0 d-sh--w- c:\documents and settings\*USER*\IECompatCache 2009-11-18 02:31:01 0 d-sh--w- c:\documents and settings\*USER*\PrivacIE 2009-11-18 02:21:34 0 d-sh--w- c:\documents and settings\*USER*\IETldCache 2009-11-18 02:03:39 0 dc-h--w- c:\windows\ie8 2009-11-17 01:17:32 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat 2009-11-17 00:49:56 0 d-----w- c:\windows\system32\XPSViewer 2009-11-17 00:48:23 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-11-17 00:48:23 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-11-17 00:48:23 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-11-17 00:48:23 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-11-17 00:48:23 117760 ------w- c:\windows\system32\prntvpt.dll 2009-11-17 00:48:22 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-11-17 00:48:22 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll 2009-11-17 00:48:22 0 d-----w- C:\33d2014b20a88cf8d7256893 2009-11-17 00:47:40 0 d-----w- c:\windows\SxsCaPendDel 2009-11-17 00:34:10 0 d-----w- c:\program files\MSXML 6.0 2009-11-15 08:31:07 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-11-15 08:05:07 0 d-----w- c:\windows\ServicePackFiles 2009-11-15 04:55:51 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx 2009-11-15 04:52:48 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-11-15 04:48:30 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll 2009-11-15 04:46:53 2560 ------w- c:\windows\system32\xpsp4res.dll 2009-11-15 04:46:52 215552 ------w- c:\windows\system32\dllcache\wordpad.exe 2009-11-15 04:46:52 1203922 ------w- c:\windows\system32\dllcache\sysmain.sdb 2009-11-15 00:47:18 15064 ----a-w- c:\windows\system32\wuapi.dll.mui 2009-11-15 00:46:38 16736 ----a-w- c:\windows\system32\mucltui.dll.mui 2009-11-15 00:46:37 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-11-14 04:10:25 0 d-----w- c:\docume~1\patric~1\applic~1\Malwarebytes 2009-11-14 04:10:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-14 04:10:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-14 04:10:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-14 04:10:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-14 03:54:42 0 d-----w- c:\docume~1\patric~1\applic~1\uTorrent 2009-11-14 01:46:09 0 d-----w- c:\docume~1\patric~1\applic~1\mIRC 2009-11-13 21:26:45 0 d-----w- c:\docume~1\patric~1\applic~1\Tibia 2009-11-07 22:23:45 54156 ---ha-w- c:\windows\QTFont.qfn 2009-11-07 22:23:45 1409 ----a-w- c:\windows\QTFont.for ==================== Find3M ==================== 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-09 02:00:45 2560 ----a-w- c:\windows\_MSRSTRT.EXE 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll 2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll 2009-08-29 08:08:21 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll 2009-08-29 08:08:20 5940224 ----a-w- c:\windows\system32\dllcache\mshtml.dll 2009-08-29 08:08:20 206848 ----a-w- c:\windows\system32\dllcache\occache.dll 2009-08-29 08:08:18 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll 2009-08-29 08:08:18 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll 2009-08-29 08:08:18 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll 2009-08-29 08:08:18 1985536 ----a-w- c:\windows\system32\dllcache\iertutil.dll 2009-08-29 08:08:17 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll 2009-08-29 08:08:16 11069440 ----a-w- c:\windows\system32\dllcache\ieframe.dll 2009-08-29 08:08:13 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll 2009-08-29 07:36:24 133120 ------w- c:\windows\system32\dllcache\extmgr.dll 2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll ============= FINISH: 22:11:18.59 =============== The computer moves a little sluggish starting up, and if Symantec didnt get any of this, I want a suggestion on what to use for an antivirus and firewall?

Attached Files



#10 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 20 November 2009 - 03:13 PM

The logs look clean.

Regarding the sluggish it may be because of the amount of memory you have available which isn't a lot.

For an anti-virus software alternative I recommend one of the freewares below. Make sure you only have ONE anti-virus software installed. Uninstall any others.

Install Antivirus

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (ONE) free anti-virus program from one of the links below:

Update It after the installation is complete please.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#11 ShadowStorm

ShadowStorm

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 20 November 2009 - 07:16 PM

Any suggestions for a high-end one, one that requires you to pay? Its always something to consider as it is a pretty much business computer.

#12 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 20 November 2009 - 08:22 PM

Well, if you were to purchase one I would recommend either Kaspersky or Nod/ESET. They are far the best purchased versions out there.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#13 ShadowStorm

ShadowStorm

    Authentic Member

  • Authentic Member
  • PipPip
  • 44 posts

Posted 21 November 2009 - 10:19 AM

You have been a great help, extremeboy.

#14 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 21 November 2009 - 12:46 PM

You're welcome. Let's wrap up.

Please follow/read the steps below to remove the tools we used and for some more information. :)


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :D :
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.

Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#15 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 24 November 2009 - 03:26 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users