Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93117 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

System using 100% of CPU, only 240 kb file


  • This topic is locked This topic is locked
4 replies to this topic

#1 Ronbones

Ronbones

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 07 February 2011 - 07:16 PM

I had a tread running, but got closed.

Here is my ComboFix log file for your review.



ComboFix 11-02-05.01 - HP_Administrator 02/05/2011 23:26:53.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2343 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
PEV Error: AppFile
PEV Error: AppFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\HP_Administrator\g2mdlhlpx.exe
c:\documents and settings\HP_Administrator\My Documents\Deleted and Recova'd\desktop_1.ini
c:\documents and settings\HP_Administrator\My Documents\Deleted and Recova'd\desktop_2.ini

.
((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
.

2011-02-05 17:14 . 2011-02-05 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2011-02-04 09:05 . 2011-01-20 18:39 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{8651752D-A330-49DC-A177-FFFF0EB8A84D}\mpengine.dll
2011-02-04 01:19 . 2011-02-04 01:19 -------- d-----w- c:\program files\ESET
2011-02-03 18:29 . 2011-02-03 18:29 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2011-02-03 18:28 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-03 18:28 . 2011-02-03 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-03 18:27 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-03 18:27 . 2011-02-03 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-03 01:36 . 2011-02-03 01:36 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Yahoo!
2011-02-01 18:49 . 2011-02-01 18:49 -------- d-----w- c:\program files\Microsoft SQL Server
2011-01-31 23:36 . 2011-01-31 23:36 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-31 23:36 . 2011-01-31 23:36 -------- d-----w- c:\program files\Trend Micro
2011-01-31 23:30 . 2011-01-31 23:30 -------- d-----w- C:\sec_45
2011-01-31 23:20 . 2011-01-31 23:20 -------- d-----w- c:\program files\Sophos
2011-01-31 22:26 . 2011-01-31 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-01-31 20:35 . 2011-01-31 22:56 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\IObit
2011-01-31 20:35 . 2011-01-31 20:35 -------- d-----w- c:\program files\IObit
2011-01-31 17:25 . 2011-01-31 17:25 -------- d-----w- c:\program files\AnswersThatWork
2011-01-31 14:32 . 2011-01-31 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC
2011-01-31 14:32 . 2011-01-31 15:08 -------- d-----w- c:\program files\SpeedyPC
2011-01-30 14:53 . 2011-01-20 18:39 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-01-30 14:32 . 2011-01-30 14:32 -------- d-----w- c:\program files\Windows Defender
2011-01-29 00:25 . 2011-01-29 00:25 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\CheckPoint
2011-01-29 00:23 . 2011-02-06 07:37 -------- d-----w- c:\windows\Internet Logs
2011-01-28 23:41 . 2011-01-28 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SystemOptimizeExpert
2011-01-28 23:41 . 2011-01-28 23:41 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SystemOptimizeExpert
2011-01-27 15:29 . 2008-10-15 05:33 95600 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-23 19:44 . 2011-01-23 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\rE4nFq0drRE
2011-01-23 18:54 . 2011-01-28 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Unique Content Producer
2011-01-22 19:41 . 2011-01-22 19:41 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-22 19:25 . 2011-01-22 19:25 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Sunbelt Software
2011-01-22 19:23 . 2011-01-22 19:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-01-22 19:19 . 2011-01-22 19:21 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Temp
2011-01-22 19:19 . 2011-01-22 19:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-01-22 19:13 . 2011-01-25 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-01-22 14:54 . 2011-01-22 14:54 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ITTerritory
2011-01-22 06:20 . 2011-01-22 06:20 -------- d-----w- c:\program files\Mail.Ru
2011-01-17 16:52 . 2011-01-17 18:12 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG
2011-01-16 10:16 . 2011-01-16 10:16 -------- d-----w- C:\$AVG
2011-01-16 07:44 . 2011-01-18 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-01-16 06:37 . 2011-01-16 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-01-15 07:24 . 2011-01-28 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-01-15 07:24 . 2011-01-15 07:24 -------- d-----w- c:\program files\Alwil Software
2011-01-14 22:44 . 2011-01-21 04:17 -------- d-----w- C:\desktop-
2011-01-08 20:52 . 2011-01-08 20:52 -------- d-----w- c:\program files\Twittenator
2011-01-08 20:51 . 2011-01-08 20:51 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Twittenator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 19:46 . 2010-10-29 21:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-03 19:46 . 2010-10-29 21:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 18:12 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-14 18:59 . 2010-11-14 18:58 286720 ------w- c:\windows\Setup1.exe
2010-11-14 18:59 . 2010-11-14 18:58 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-12-01 19:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-17 2402512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-27 98304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-17 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-11-05 738808]
"MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2007-08-30 49254]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-26 98304]
"JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2007-08-30 229481]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-5-26 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2010-05-27 16:45 159744 ----a-w- c:\windows\system32\ati2evxx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/5/2010 3:41 AM 26872]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\162.tmp --> c:\windows\system32\162.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-22 19:18]

2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-22 19:18]

2011-02-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2011-02-05 c:\windows\Tasks\SpeedyPC Program Check.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2010-05-19 23:10]

2011-02-03 c:\windows\Tasks\SpeedyPC.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2010-05-19 23:10]
.
.
------- Supplementary Scan -------
.
uStart Page = ABOUT:BLANK
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\5u7o4xc8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
FF - Ext: BlogRovR: stickis@activeweave.com - %profile%\extensions\stickis@activeweave.com
FF - Ext: Status-bar Scientific Calculator: ststusscicalc@sunny - %profile%\extensions\ststusscicalc@sunny
FF - Ext: Tab Sidebar: TabSidebar@blueprintit.co.uk - %profile%\extensions\TabSidebar@blueprintit.co.uk
FF - Ext: Tree Style Tab: treestyletab@piro.sakura.ne.jp - %profile%\extensions\treestyletab@piro.sakura.ne.jp
FF - Ext: Firefox Universal Uploader (fireuploader): {0200c2a9-70da-4f6d-b527-f5f7d7877228} - %profile%\extensions\{0200c2a9-70da-4f6d-b527-f5f7d7877228}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Minimap Addon: {398e77b8-2304-11dc-8314-0800200c9a66} - %profile%\extensions\{398e77b8-2304-11dc-8314-0800200c9a66}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: The Browser Highlighter: browserhighlighter@ebay.com - %profile%\extensions\browserhighlighter@ebay.com
FF - Ext: Alexa Toolbar: toolbar@alexa.com - %profile%\extensions\toolbar@alexa.com
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}
FF - Ext: ChaCha Guide App Toolbar: chachaguidebar@chacha.com - %profile%\extensions\chachaguidebar@chacha.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-06 01:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\162.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(884)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2011-02-06 01:30:33
ComboFix-quarantined-files.txt 2011-02-06 09:29

Pre-Run: 39,671,742,464 bytes free
Post-Run: 39,639,928,832 bytes free

- - End Of File - - ECF9DACC63B4A85F1ACE138354F82D9C

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 08 February 2011 - 06:44 PM

http://forums.whatth...h...=116913&hl=

Did you run the online scan?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Ronbones

Ronbones

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 09 February 2011 - 11:23 AM

yes, I did and the above is the result.

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 February 2011 - 11:31 AM

That's a combofix scan.

Uninstall IObit using add / remove programs.


http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Check Remove found threats and Scan potentially unwanted applications.
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 February 2011 - 10:05 AM

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users