PDA

View Full Version : Mfeed.in Redirect Returns



dinosaur58
2010-07-13, 15:35
A while ago I ran Combofix [from the stickies it seems I shouldn't have] when other anti malware programs [eg. Spybot, Avira, MBAM] failed to get rid of the my problem. The popup/redirects I was getting [stopped by NoScript] showed various websites originating from Mfeed.in. These would appear when using Google links and at other random times. I also blocked Mfeed.in in my Hosts file. The problem seemed to get better, but then I started getting system slowdowns due to SVCHOST using 40-70% of CPU and 200+Mb memory [have been stopping the bad process manually in Task Manager with no ill effects]. Also Media software [players and editors] report 'no audio device' [system reports all ok under Device Mgr, but missing in control panel audio properties]. This last happens while using media players controls, and is fixed by reboot. Now the random popups are back, although not the ones at Google. In the 'created last 30' section of the DDS report I note at least one entry that looks Very suspicious. ERUNT backup performed.
=============================================
DDS (Ver_10-03-17.01) - FAT32x86
Run by Administrator at 5:12:07.51 on Tue 07/13/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1573 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Administrator.COMPUTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [nwiz] nwiz.exe /install
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

===================================
Incomplete log- when I tried to include more of it I think I hit the character limit?
I got "Connection Reset". Should I Attatch it [zipped/not zipped]?
I have not been to any sensitive websites since this problem began, so I hope the 'Badguys' haven't managed to steal anything crucial. I have subscribed to this thread with 'instant email notification'.

ken545
2010-07-18, 05:03
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Sorry for the delay but the forums are very busy


Lets do this..Go to C:\combofix.txt and post the log, its easier for us if you copy and paste it but until we get you running a bit more normally go ahead and attach it.

If by chance you uninstalled it the go ahead and rerun DDS and attach the complete log

dinosaur58
2010-07-18, 09:23
Thanks for your help with this. I 've seen from the forum how busy you are lately.
Combofix log from July6 got error "Your file of 108.7 KB bytes exceeds the forum's limit of 48.8 KB for this filetype." I cut out the Knowledge Base, assembly\GAC_*, WMFDist11$, Native images, Microsoft.NET\Framework, + Firefox Policies from Snapshot to make it fit. In each case I left 1 entry with hacks [#####] before + after. At least it's something to start with?
Off to work, back in 8 hrs.
Dinosaur58

ken545
2010-07-18, 14:12
Hi,

Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe



Drag Combofix to the trash and download a new copy TO YOUR DESKTOP

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.







Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::




File::
c:\windows\system32\1C6.tmp

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"=-


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



Please try to copy and paste the log into this thread even if you have to cut it in half and make two posts

dinosaur58
2010-07-18, 17:50
CFScript file run as instructed. Didn't know there was an update for Recovery Console. Here is the log file.

ComboFix 10-07-16.02 - Administrator 07/18/2010 8:25.10.2 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1552 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\1C6.tmp"
.

((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-16 21:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:05 . 2010-06-30 06:05 36864 ---ha-w- C:\SZKGFS.dat
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 16:39 . 2010-07-14 07:04 6144 ------w- c:\windows\system32\4E.tmp
2010-05-26 16:39 . 2010-07-14 07:04 6144 ------w- c:\windows\system32\4D.tmp
2010-05-26 16:39 . 2010-07-14 07:04 6144 ------w- c:\windows\system32\4C.tmp
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2007-12-14 00:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2007-12-20 05:11 . 2007-12-20 05:11 24 --sh--w- c:\windows\S99E8483F.tmp
.

------- Sigcheck -------

[-] 2009-05-12 . 3C966F647BAB332093CB0F92692B5CB8 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-05-05 . 8283A4D489B207991EFDC8328733D0BC . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-07-07_01.26.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-25 04:41 . 2010-03-23 09:37 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2010-07-13 09:42 . 2005-10-20 18:02 163328 c:\windows\ERDNT\7-13-2010\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S3 GNUAN;GNUAN;c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\GNUAN.exe --> c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\GNUAN.exe [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 08:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-07-18 08:30:51
ComboFix-quarantined-files.txt 2010-07-18 14:30
ComboFix2.txt 2010-07-18 05:35
ComboFix3.txt 2010-03-25 02:44
ComboFix4.txt 2009-06-20 03:26
ComboFix5.txt 2010-07-18 13:52

Pre-Run: 88,172,724,224 bytes free
Post-Run: 88,169,021,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut /safeboot:network
C:\="Previous Operating System on C:"

- - End Of File - - F24BEB4256A8444DC8C6CBF454DD2748

ken545
2010-07-18, 18:39
Thanks for Pasting the log in, with it being attached I dont know if I missed these or they just showed up

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::





File::
C:\SZKGFS.dat
c:\windows\system32\4E.tmp
c:\windows\system32\4D.tmp
c:\windows\system32\4C.tmp


FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\$NtUninstallKB951748$\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys



Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply







Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please





Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

dinosaur58
2010-07-18, 22:10
Here are the Combofix + MBAM logs. I ran TFC. I hope it didn't delete my Firefox sessions or cookies, I haven't recorded all of my site passwords. I manually delete all untrusted cookies once or twice a month depending on amount of surfing.

##Note that I am still running is Safe Mode##
ComboFix 10-07-16.02 - Administrator 07/18/2010 11:42:41.11.2 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1528 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"C:\SZKGFS.dat"
"c:\windows\system32\4C.tmp"
"c:\windows\system32\4D.tmp"
"c:\windows\system32\4E.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SZKGFS.dat
c:\windows\system32\4C.tmp
c:\windows\system32\4D.tmp
c:\windows\system32\4E.tmp

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys --> c:\windows\$NtUninstallKB951748$\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys --> c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2007-12-14 00:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2007-12-20 05:11 . 2007-12-20 05:11 24 --sh--w- c:\windows\S99E8483F.tmp
.

((((((((((((((((((((((((((((( SnapShot_2010-07-07_01.26.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-25 04:41 . 2010-03-23 09:37 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2007-10-25 04:41 . 2010-03-23 09:37 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2007-10-25 04:41 . 2010-07-08 05:39 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2010-07-13 09:42 . 2005-10-20 18:02 163328 c:\windows\ERDNT\7-13-2010\ERDNT.EXE
+ 2008-07-09 14:55 . 2008-06-20 10:45 360320 c:\windows\$NtUninstallKB951748$\tcpip.sys
+ 2006-04-20 12:18 . 2008-06-20 10:45 360320 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S3 GNUAN;GNUAN;c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\GNUAN.exe --> c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\GNUAN.exe [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 11:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-07-18 11:48:00
ComboFix-quarantined-files.txt 2010-07-18 17:48
ComboFix2.txt 2010-07-18 05:35
ComboFix3.txt 2010-03-25 02:44
ComboFix4.txt 2009-06-20 03:26
ComboFix5.txt 2010-07-18 13:52

Pre-Run: 88,183,111,680 bytes free
Post-Run: 88,164,270,080 bytes free

- - End Of File - - BDD6C4039A3391E49B4195925DAF45E4

WWWWW

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4324

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

7/18/2010 12:11:16 PM
mbam-log-2010-07-18 (12-11-16).txt

Scan type: Quick scan
Objects scanned: 170557
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

WWWWWW
Thanks again for your help. Let me know when it's safe to try a Standard O.S. Boot. Dinosaur58

ken545
2010-07-18, 22:55
You can boot up normally. There is one issue I cant get any info on.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:file
c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\GNUAN.exe


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

dinosaur58
2010-07-18, 23:10
Here's the systmelook log.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:05 on 18/07/2010 by Administrator (Administrator - Elevation successful)

========== file ==========

c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\GNUAN.exe - Unable to find/read file.

-=End Of File=-

D58

ken545
2010-07-19, 00:05
Try this with SystemLook

:file
c:\documents and settings\administrator\local settings\Temp\GNUAN.exe

dinosaur58
2010-07-19, 00:41
Here's the log, Same results. I hope that means it's gone. Have to get up in 5 hrs and go to work, so signing off for now. Will check back before I leave for work. Thanks, D58

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:37 on 18/07/2010 by Administrator (Administrator - Elevation successful)

========== file ==========

c:\documents and settings\administrator\local settings\Temp\GNUAN.exe - Unable to find/read file.

-=End Of File=-

ken545
2010-07-19, 01:15
Lets try this



You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


c:\documents and settings\administrator\local settings\Temp\GNUAN.exe

If the site is busy you can try this one

http://virusscan.jotti.org/en

dinosaur58
2010-07-19, 07:00
Made sure Folder settings are set to show ALL files as instructed. Opened every Temp folder in Documents and Settings, just to be sure. Could not find GNUAN.EXE . Off to work. Back in 9.5 hrs [not so bad really, includes drive time + 1 hr lunch]. D58

ken545
2010-07-19, 11:27
I am asking other helpers about this , generally exe files dont run out of a temp folder , be back in a bit

ken545
2010-07-19, 14:18
It appears its related to some sort of online game, like chess for instance, do you play online chess ?

dinosaur58
2010-07-19, 16:47
I don't play chess, and never played online. No idea when or how it appeared. D58

dinosaur58
2010-07-19, 17:23
Am currently running in Standard Boot Mode. No problems with SVCHOST or CSRSS. Unable to reproduce problem with audio, but that may have been caused by stopping SVCHOST process. No Google or other pop-ups/redirects. Am currently running a Kaspersky Online scan. D58

ken545
2010-07-19, 19:14
Thats nice to hear, it appears the file we have been looking at is ok, this is what its related to, how it got on your system I dont know
http://www.programmersheaven.com/download/996/ZipFileList.aspx
http://www.gnu.org/software/chess/


Run this online scan to sweep for things we may have missed, if this comes back ok you will be good to go

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

dinosaur58
2010-07-20, 01:13
Did not check 'scan archives', did check: 'remove found threats' + 'scan for potentially unwanted applications'. 'Enable anti-stealth technology' is checked in default. Note: Country0, 2, and 3 are old renamed versions of Combofix, just as well to be rid of them.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7b49d530c56b7747b13f9878c59ab660
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-19 08:37:34
# local_time=2010-07-19 02:37:34 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 46965452 46965452 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1026 16777214 0 2 38494668 38494668 0 0
# compatibility_mode=1797 16775141 100 94 0 51276858 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=153712
# found=8
# cleaned=8
# scan_time=6312
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country0.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country2.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country3.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Topaz Labs LLC\Topaz Moment PE\tltmpro35.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP333\A0023296.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP333\A0023297.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\NeroDemo12550\Toolbar.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Way past sack time, even for a day off. Back in 8 hrs or so. D58

ken545
2010-07-20, 01:58
Looking good. If your happy the way things are running then lets clean up what we have done.

DDS <---Drag it to the trash

TFC <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

dinosaur58
2010-07-20, 12:04
Ken545 - Thanks for all your help. My system is saved from the dreaded Format and Reinstall [Microsoft Tech support's answer to everything]. I'll be safer from now on.
Dinosaur58

dinosaur58
2010-07-20, 12:41
bump bump

dinosaur58
2010-07-20, 12:44
After reboot from OTC I had my anitivirus protection turned off for Eset removal process. Failed to restart it [duh] and surfed to: http://forums.adobe.com/thread/522601 to find out if I can disable the new startup processes that Adobe installed. After reading in the forum for about 2 minutes a pop-up appeared : allweddingworld
As usual the scripts were blocked by NoScript. This is exactly the behavior from the infection we are working on. Note: a Microsoft Malicious SRT update had downloaded and was waiting to install. I allowed the install and after reboot it said "Malicious software was detected and partially removed." It requested a full scan [in progress now] "can take up to several hours on some computers." Darn! D58

dinosaur58
2010-07-20, 12:48
Tried to edit out the bad link [thought I had a few minutes to edit post] instead it reposted. NOTE TO ALL: DO NOT FOLLOW THE -ALLWEDDINGWORLD- LINK!!!!!
D58 P.S. Adimns - please remove 2nd post and disable/remove bad link.

ken545
2010-07-20, 13:55
Something must have been put back, lets get rid of this program, first see if you can find it in Add Remove Programs and uninstall it , either way run this script

Drag Combofix to the trash and grab a fresh copy

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::




Driver::
GNUAN

File::
c:\documents and settings\administrator\local settings\Temp\GNUAN.exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

dinosaur58
2010-07-20, 15:32
No Combofix in add/remove. Installed new copy to desktop and tried to run script. At around stage 3 there was a windows error message [looked like a DEP message] saying 'PEV.cfxxe has encountered an error and needs to close..' I closed the message box and Combofix seemed to resume normally. Here is the log.
WWWWWWWWWWW
ComboFix 10-07-19.02 - Administrator 07/20/2010 5:57.12.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1456 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\administrator\local settings\Temp\GNUAN.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GNUAN
-------\Service_GNUAN


((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-20 11:42 . 2010-07-20 11:42 1014 ----a-w- c:\windows\system32\drivers\mgtryuwv.dat
2010-07-20 11:41 . 2010-07-20 11:41 8832 ----a-w- c:\windows\system32\drivers\RASACD.SYS
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-18 20:21 . 2010-07-18 20:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S1 stkowqfi;stkowqfi;\??\c:\windows\system32\drivers\stkowqfi.sys --> c:\windows\system32\drivers\stkowqfi.sys [?]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 06:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-07-20 06:13:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 12:13

Pre-Run: 86,872,752,128 bytes free
Post-Run: 86,978,068,480 bytes free

- - End Of File - - 14B6EDBBB57A16A624A4D9129486DED3
WWWWWWWWWWWWWWWW
I found 'ComboFix-quarantined-files.txt'in Qoobox. It mentions GNUAN.
WWWWWWWWWWWWWWWW
2010-07-20 12:12:29 . 2010-07-20 12:12:30 922 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 2,686 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_GNUAN.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_GNUAN.reg.dat
2010-07-20 12:06:05 . 2010-07-20 12:06:06 4,931 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-20 11:57:28 . 2010-07-20 11:57:30 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-07-20 11:55:53 . 2010-07-20 11:55:54 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
WWWWWWWWWWWWW
Probably just saying what it looked for?
D58

ken545
2010-07-20, 15:59
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::




Driver::
stkowqfi

File::
c:\windows\system32\drivers\mgtryuwv.dat
c:\windows\system32\drivers\RASACD.SYS
c:\windows\system32\drivers\stkowqfi.sys


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply






You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


C:\6bg39okp.exe

If the site is busy you can try this one

http://virusscan.jotti.org/en

dinosaur58
2010-07-20, 17:01
Combofix runs same as last time, but near end of run desktop blanks out leaving only combofix window. After reboot system runs disk check [no errors found], then starts normally, but no combofix window and no combofix log. Also new folder appears on C: drive named combofix seeming to contain complete system mirror [including a mirror copy of new combofix folder= recursion]. Did not try to delete the new mirror folder. What now? D58

dinosaur58
2010-07-20, 17:07
Had Virustotal ReScan file:
WWWWWWWWWWWWWWWWWW
Antivirus Version Last Update Result
AhnLab-V3 2010.07.20.02 2010.07.20 -
AntiVir 8.2.4.12 2010.07.20 -
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.20 -
Avast 4.8.1351.0 2010.07.20 -
Avast5 5.0.332.0 2010.07.20 -
AVG 9.0.0.836 2010.07.20 -
BitDefender 7.2 2010.07.20 -
CAT-QuickHeal 11.00 2010.07.20 -
ClamAV 0.96.0.3-git 2010.07.20 -
Comodo 5486 2010.07.20 -
DrWeb 5.0.2.03300 2010.07.20 -
Emsisoft 5.0.0.34 2010.07.20 -
eSafe 7.0.17.0 2010.07.19 Win32.TrojanHorse
eTrust-Vet 36.1.7723 2010.07.20 -
F-Prot 4.6.1.107 2010.07.19 -
F-Secure 9.0.15370.0 2010.07.20 -
Fortinet 4.1.143.0 2010.07.20 -
GData 21 2010.07.20 -
Ikarus T3.1.1.84.0 2010.07.20 -
Jiangmin 13.0.900 2010.07.20 -
Kaspersky 7.0.0.125 2010.07.20 -
McAfee 5.400.0.1158 2010.07.20 -
McAfee-GW-Edition 2010.1 2010.07.20 -
Microsoft 1.6004 2010.07.20 -
NOD32 5295 2010.07.20 -
Norman 6.05.11 2010.07.20 -
nProtect 2010-07-20.02 2010.07.20 -
Panda 10.0.2.7 2010.07.19 -
PCTools 7.0.3.5 2010.07.20 -
Prevx 3.0 2010.07.20 -
Rising 22.57.01.04 2010.07.20 -
Sophos 4.55.0 2010.07.20 -
Sunbelt 6606 2010.07.20 -
SUPERAntiSpyware 4.40.0.1006 2010.07.20 -
Symantec 20101.1.1.7 2010.07.20 -
TheHacker 6.5.2.1.320 2010.07.19 -
TrendMicro 9.120.0.1004 2010.07.20 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.20 -
VBA32 3.12.12.6 2010.07.20 -
ViRobot 2010.6.21.3896 2010.07.20 -
VirusBuster 5.0.27.0 2010.07.20 -
Additional information
File size: 293376 bytes
MD5...: f80f6e09e7f4bafe478ca0da6137e1e2
SHA1..: 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a
ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM
61tUXRd9IPb3cVZkyp/
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb3f40
timedatestamp.....: 0x4b2763f0 (Tue Dec 15 10:24:48 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6e000 0x47000 0x46200 7.93 7b777c30b7f75e5eb654691bb1616dcb
.rsrc 0xb5000 0x2000 0x1400 3.38 710fb4291f153e98a3a03f3473b8bfd6

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
packers (F-Prot): UPX
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15281
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
WWWWWWWWWWWWWWWWWW
Only one hit. D58

ken545
2010-07-21, 01:31
Hi,

Sorry for the delay but I have been away and off line all day.

C:\ComboFix.txt <-- Have you tried going here and looking for the last log ?


How are things running now ?

dinosaur58
2010-07-21, 07:11
Delay no problem, had to sleep myself. No Combofix.txt on C: . No pop-ups recently, and no rogue services. Strange Combofix mirror folder persists after reboot. Should I try to delete it? D58

ken545
2010-07-21, 11:49
Not sure whats in that folder, is it possible to copy and paste it for me to see

dinosaur58
2010-07-21, 12:43
I can't copy and paste folders to the website, and maximum file size for zipped is 976kb. When I check the properties of the folder the system reports that it contains 1 Folder with 264 files in it and a total of 20.4mb. When I open it the system shows a full mirror of the system: C:,D:,E:,and A: drives, Documents Folder, Control Panel, etc. The folder uses the same Icon as My Computer. If I browse to files inside it kicks me back out to the correct folder, so I can't see what's actually in it. D58

ken545
2010-07-21, 13:48
Just leave it be for now, I am going to look into it and be back as soon as I can

dinosaur58
2010-07-21, 14:23
Just for hoots I tried creating a zip archive with the mystery folder as contents, and then opening the resulting file. It looks like the unpacked contents of Combofix.exe, and included Combofix.txt [see below]. Still doesn't explain why the system sees it as a mirror.
WWWWWWWWWWWW
ComboFix 10-07-19.04 - Administrator 07/20/2010 7:32:06.13.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1469 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\drivers\mgtryuwv.dat"
"c:\windows\system32\drivers\RASACD.SYS"
"c:\windows\system32\drivers\stkowqfi.sys"
.
WWWWWWWWWWWWWWWWWWW
That's all there was in Combofix.txt Totla Archive size = 4.5mb D58

ken545
2010-07-21, 14:28
OK, just leave it be, be back around noon

ken545
2010-07-21, 19:16
It appears you may still have some issues we need to look at, this is what I need you to do, I need you to run Combofix, no script, just double click on it to run and post the log please.


Then I need you to run GMER, if it gives you issues than try it in Safemode


http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your next reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)



I need to see the new CF log and the GMER log please

dinosaur58
2010-07-21, 21:42
Here are the logs. The Mystery Folder disappeared when Combofix ran.
WWWWWWWWWWWWWW
ComboFix 10-07-20.03 - Administrator 07/21/2010 11:35:19.14.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1398 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\RASACD.SYS
.
---- Previous Run -------
.
c:\windows\system32\drivers\mgtryuwv.dat
c:\windows\system32\drivers\RASACD.SYS

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_stkowqfi


((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-21 11:13 . 2010-07-21 11:13 4664667 ----a-w- C:\ComboFix.zip
2010-07-20 11:41 . 2004-08-04 07:00 8832 ----a-w- c:\windows\system32\dllcache\rasacd.sys
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-07-20_12.10.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-21 18:02 . 2010-07-21 18:02 16384 c:\windows\temp\Perflib_Perfdata_6b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 12:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-07-21 12:06:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-21 18:06

Pre-Run: 86,892,380,160 bytes free
Post-Run: 86,853,943,296 bytes free

- - End Of File - - 5482D7EE4CD2230D509817088F089194
WWWWWWWWWWWWWWWWWWWW
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-21 12:38:41
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.COM\LOCALS~1\Temp\pgldqpow.sys


---- System - GMER 1.0.15 ----

SSDT B8F5F226 ZwCreateKey
SSDT B8F5F21C ZwCreateThread
SSDT B8F5F22B ZwDeleteKey
SSDT B8F5F235 ZwDeleteValueKey
SSDT B8F5F23A ZwLoadKey
SSDT B8F5F208 ZwOpenProcess
SSDT B8F5F20D ZwOpenThread
SSDT B8F5F244 ZwReplaceKey
SSDT B8F5F23F ZwRestoreKey
SSDT B8F5F230 ZwSetValueKey
SSDT B8F5F217 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB95FF360, 0x307AC7, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\aiptektp.sys entry point in "init" section [0xBA41C480]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\FIREFOX.EXE[2744] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\FIREFOX.EXE (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x97 0x20 0x4E 0x9A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}@abnllihdbjplkgkdpkebpdfihejcgiaodb 0x61 0x62 0x6C 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}@bbnllihdbjplkgkdpkfbdachibjdfkjonkac 0x61 0x62 0x67 0x67 ...

---- EOF - GMER 1.0.15 ----
Thanks for your persistence with this problem. D58

ken545
2010-07-21, 23:58
Not a problem, some systems are easier to clean and some are not.

Thanks for the GMER log, I am looking it over now


C:\Qoobox\ComboFix-quarantined-files.txt <--Open this and post the log please

dinosaur58
2010-07-22, 00:34
Here's the log. Gotta sack out, I'll check back once before work. D58
WWWWWWWWWWWWWW
2010-07-20 13:34:57 . 2010-07-20 13:34:58 664 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_stkowqfi.reg.dat
2010-07-20 12:12:29 . 2010-07-20 12:12:30 922 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 2,686 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_GNUAN.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_GNUAN.reg.dat
2010-07-20 12:06:05 . 2010-07-21 17:59:16 4,931 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-20 11:57:28 . 2010-07-20 13:32:02 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-07-20 11:55:53 . 2010-07-21 17:33:34 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-07-20 11:42:37 . 2010-07-20 11:42:38 1,014 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\mgtryuwv.dat.vir
2010-07-20 11:41:07 . 2010-07-20 11:41:08 8,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\RASACD.SYS.vir

ken545
2010-07-22, 00:46
OK, do this, we are going to run a CF Script, but CF wont run all the way but will produce a log I need to see.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Dequarantine::




Dequarantine::
C:\Qoobox\Quarantine\c:\windows\system32\drivers\RASACD.SYS
Quit::


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again but it wont run all the way through. Post the log it produces please

dinosaur58
2010-07-22, 06:25
Here's the Combofix DeQuarantine log. Restarting Antivirus after Combofix run sometimes causes system unresponsive [except cursor movement]? Couldn't bring up Task Manager to see what process was causing this. D58
WWWWWWWWWWWWWWWWWWWWWWWWWw
ComboFix 10-07-21.01 - Administrator 07/21/2010 21:04:49.15.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1470 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-21 11:13 . 2010-07-21 11:13 4664667 ----a-w- C:\ComboFix.zip
2010-07-20 11:41 . 2004-08-04 07:00 8832 ----a-w- c:\windows\system32\dllcache\rasacd.sys
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 21:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-21 21:11:03
ComboFix-quarantined-files.txt 2010-07-22 03:11
ComboFix2.txt 2010-07-21 18:16

Pre-Run: 86,844,243,968 bytes free
Post-Run: 86,838,247,424 bytes free

- - End Of File - - DAF62AD5C4C64A0B6DD6C97E6B8FE4EA

ken545
2010-07-22, 11:23
Did you run CF with the new script or did you drag an older one in by mistake ?


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
RASACD.SYS



Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

dinosaur58
2010-07-22, 16:27
Combofix automatically moves each script to the Qoobox folder after using it, so only new txt file on desktop = no mistake. Here's the Systemlook log. D58
WWWWWWWWWWW
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 07:23 on 22/07/2010 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "RASACD.SYS"
C:\WINDOWS\system32\dllcache\rasacd.sys --a--- 8832 bytes [11:41 20/07/2010] [07:00 04/08/2004] FE0D99D6F31E4FAD8159F690D68DED9C

-=End Of File=-

ken545
2010-07-22, 19:11
Yep, but just double checking.

Drag Combofix to the trash and grab a fresh copy

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop




Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::




FCopy::
C:\WINDOWS\system32\dllcache\rasacd.sys | c:\windows\system32\drivers\rasacd.sys


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

dinosaur58
2010-07-22, 21:06
Here's the log.D58
WWWWWWWWWWWWWWWWWWW
ComboFix 10-07-22.01 - Administrator 07/22/2010 11:24:59.16.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1414 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\rasacd.sys --> c:\windows\system32\drivers\rasacd.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-22 17:24 . 2004-08-04 07:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-07-22 17:24 . 2004-08-04 07:00 8832 ----a-w- c:\windows\system32\dllcache\rasacd.sys
2010-07-21 11:13 . 2010-07-21 11:13 4664667 ----a-w- C:\ComboFix.zip
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 11:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1256)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-22 11:31:25
ComboFix-quarantined-files.txt 2010-07-22 17:31
ComboFix2.txt 2010-07-22 03:18
ComboFix3.txt 2010-07-21 18:16

Pre-Run: 86,833,201,152 bytes free
Post-Run: 86,827,597,824 bytes free

- - End Of File - - 4511D803537CEF0BDAC0C6E7C111DB5A

ken545
2010-07-23, 00:10
Looking so much better, still need to know about this file

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


C:\6bg39okp.exe <--This file

If the site is busy you can try this one

http://virusscan.jotti.org/en


How are things running now ?????

dinosaur58
2010-07-23, 05:48
Running pretty good. Up until the Fcopy run had been getting slow reponses on browser and WinExplorer, but that's all good now. No pop-ups, although I haven't been surfing/googling much. No rogue services/problems with antivirus hanging system. Note that the '6bg39okp.exe' file shows a Gmer mini icon in WinExplorer. Here's the log. D58
WWWWWWWWWWWWWWWWWW
Antivirus Version Last Update Result
AhnLab-V3 2010.07.23.00 2010.07.23 -
AntiVir 8.2.4.26 2010.07.22 -
Antiy-AVL 2.0.3.7 2010.07.22 -
Authentium 5.2.0.5 2010.07.21 -
Avast 4.8.1351.0 2010.07.22 -
Avast5 5.0.332.0 2010.07.22 -
AVG 9.0.0.851 2010.07.23 -
BitDefender 7.2 2010.07.23 -
CAT-QuickHeal 11.00 2010.07.22 -
ClamAV 0.96.0.3-git 2010.07.23 -
Comodo 5512 2010.07.23 -
DrWeb 5.0.2.03300 2010.07.23 -
Emsisoft 5.0.0.34 2010.07.23 -
eSafe 7.0.17.0 2010.07.22 Win32.TrojanHorse
eTrust-Vet 36.1.7729 2010.07.22 -
F-Prot 4.6.1.107 2010.07.23 -
F-Secure 9.0.15370.0 2010.07.23 -
Fortinet 4.1.143.0 2010.07.22 -
GData 21 2010.07.23 -
Ikarus T3.1.1.84.0 2010.07.23 -
Jiangmin 13.0.900 2010.07.22 -
Kaspersky 7.0.0.125 2010.07.23 -
McAfee 5.400.0.1158 2010.07.23 -
McAfee-GW-Edition 2010.1 2010.07.22 -
Microsoft 1.6004 2010.07.23 -
NOD32 5303 2010.07.22 -
Norman 6.05.11 2010.07.22 -
nProtect 2010-07-23.01 2010.07.23 -
Panda 10.0.2.7 2010.07.23 -
PCTools 7.0.3.5 2010.07.23 -
Prevx 3.0 2010.07.23 -
Rising 22.57.03.04 2010.07.22 -
Sophos 4.55.0 2010.07.22 -
Sunbelt 6624 2010.07.23 -
SUPERAntiSpyware 4.40.0.1006 2010.07.23 -
Symantec 20101.1.1.7 2010.07.23 -
TheHacker 6.5.2.1.322 2010.07.20 -
TrendMicro 9.120.0.1004 2010.07.22 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.23 -
VBA32 3.12.12.6 2010.07.22 -
ViRobot 2010.6.21.3896 2010.07.22 -
VirusBuster 5.0.27.0 2010.07.22 -
Additional information
File size: 293376 bytes
MD5...: f80f6e09e7f4bafe478ca0da6137e1e2
SHA1..: 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a
ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM
61tUXRd9IPb3cVZkyp/
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb3f40
timedatestamp.....: 0x4b2763f0 (Tue Dec 15 10:24:48 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6e000 0x47000 0x46200 7.93 7b777c30b7f75e5eb654691bb1616dcb
.rsrc 0xb5000 0x2000 0x1400 3.38 710fb4291f153e98a3a03f3473b8bfd6

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15281
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
packers (F-Prot): UPX

ken545
2010-07-23, 05:52
Lets just take a closer look at this one

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:file
C:\6bg39okp.exe


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

dinosaur58
2010-07-23, 06:45
SystemLook ran fast this time. Here's the log. Off to work again, back in ~9 hrs. D58
WWWWWWWWWW
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:42 on 22/07/2010 by Administrator (Administrator - Elevation successful)

========== file ==========

C:\6bg39okp.exe - File found and opened.
MD5: F80F6E09E7F4BAFE478CA0DA6137E1E2
Created at 11:36 on 07/07/2010
Modified at 11:36 on 07/07/2010
Size: 293376 bytes
Attributes: --a---
FileVersion: 1, 0, 15, 15281

-=End Of File=-

ken545
2010-07-23, 15:14
What you can do is just delete the file manually, leave it in your recycle bin for about a week and if no programs scream for it than delete from the RC.



If everything is ok than I will close this thread

dinosaur58
2010-07-23, 17:36
File deleted. Have tried to reproduce various problems, but so far so good. Go ahead and close it, and once again - Thanks for all your help. D58

ken545
2010-07-23, 17:48
Your very welcome,

Take care,
Ken

ken545
2010-07-30, 03:08
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.