View Full Version : Badly Infected Computer (unauthorized access on Paypal account! Help!)
My computer seems to be very infected, and I need help badly. It is an old computer (2004) but it has a 100gb hard drive and 1024 ram, so while I wouldn't expect it to be very fast, it still should have some life left in it. I shall do my best to describe its symptoms and tell you everything I think you should know.
Lately it has been running very slowly in general, and especially when I am on the internet. Recently, I had an experience where I tried to get on the internet and it would give me some kind of message telling me I can't do that. I cannot remember the exact text. A few minutes later, I got a blue screen.
I turned my computer off and turned it back on and chose "Safe Mode with Networking" so I could still access the internet. That was a little faster.
Later, I got e-mails about Paypal purchases made with my Paypal account that I had never made. I called Paypal and I will not be held liable for those purchases. Still, this is very scary. I want to change passwords to everything, but before I do that I want to make sure that my computer is completely safe so the evil doers won't just get my passwords again.
About two days ago I ran a bunch of anti-spyware/malware/virus programs, and found a ton of infected files. I deleted and/or quarantined all of them, which seemed to help for a while, and I thought maybe I was all clear. But now it's back to being as slow as before, so I must be re-infected. Nevertheless, I may have removed some signs of infection, so I wanted you to be aware.
I am pretty much using my computer exclusively in safe mode (with networking) now.
I would love to be able to keep my peer-to-peer software if possible; please just teach me how to use it safely. But if I must get rid of it, so be it; I will get rid of it. I have bittorent. I also have WinRar, don't know if that matters.
In my downloads folder, there are now a bunch of files that end in "-crack.exe". The names begin with the names of programs/files on my computer, such as "Microsoft Office-crack.exe" and "Tall Emu-crack.exe" and "Jasc Software Inc-crack.exe". I do not know what these mean or if they are dangerous.
I backed up my registry with ERUNT.
Here are my DDS logs. The first one is DDS.txt, the second one is Attach.txt. I am copying and pasting them both per the instructions here (http://forums.spybot.info/showpost.php?p=1150&postcount=2).
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Rebel at 1:20:56.73 on Wed 08/04/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1552 [GMT -4:00]
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rebel\Desktop\dds.scr
============== Pseudo HJT Report ===============
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\desktop\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BidSlayer]
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\rebel\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Windows Java Runtime] "c:\documents and settings\rebel\java.jar"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\desktop\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185296588953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: kvxqmtre - {900BE20B-A3F7-487D-B309-2902E1D0D4E4} - No File
SSODL: evgratsm - {79A0198B-B5BA-4849-9512-ED70AACACD58} - No File
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnNDUKB
mASetup: {D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6} - c:\documents and settings\rebel\application data\svchost.exe
uASetup: {D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6} - c:\documents and settings\rebel\application data\svchost.exe
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\rebel\applic~1\mozilla\firefox\profiles\3idjaz6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\rebel\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-3-8 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-3-8 28872]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-29 165456]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-3-8 178376]
S2 a2free;a-squared Free Service;c:\desktop\a-squared free\a2service.exe [2009-3-8 1872320]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-29 17744]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-29 40384]
S2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-3-8 1402568]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-29 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-29 40384]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\ptumwbus.sys --> c:\windows\system32\drivers\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\ptumwcdf.sys --> c:\windows\system32\drivers\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\ptumwflt.sys --> c:\windows\system32\drivers\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\ptumwmdm.sys --> c:\windows\system32\drivers\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\ptumwnet.sys --> c:\windows\system32\drivers\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\ptumwvsp.sys --> c:\windows\system32\drivers\PTUMWVsp.sys [?]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S3 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-3-8 3321032]
=============== Created Last 30 ================
2010-07-30 00:52:30 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 00:51:50 137 ----a-w- c:\windows\system32\launch.vbs
2010-07-29 22:58:19 60 ---ha-w- C:\autorun.inf
2010-07-29 22:13:25 0 d-----w- c:\program files\Trend Micro
2010-07-29 22:09:51 0 d-----w- c:\windows\pss
2010-07-29 20:04:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-07-23 03:34:51 18160 ---ha-w- c:\documents and settings\rebel\java.jar
2010-07-22 21:59:23 180224 ---h--w- C:\ntldr.exe
2010-07-21 19:28:16 123041 ----a-w- C:\RunFirst.exe
2010-07-21 19:28:14 0 ----a-w- c:\windows\system32\s4c.vbs
2010-07-21 19:28:13 480 ----a-w- c:\windows\system32\net.vbs
2010-07-21 19:28:13 1034 ----a-w- c:\windows\system32\net.bat
2010-07-10 01:18:50 32133 ----a-w- c:\docume~1\rebel\applic~1\SQLite3.dll
2010-07-10 01:18:48 0 d-----w- c:\windows\sysid
==================== Find3M ====================
2010-06-28 01:54:03 157142 ----a-w- c:\windows\hphins25.dat
2010-06-26 17:46:46 148736 ----a-w- c:\docume~1\alluse~1.win\applic~1\hpe2E3.dll
2010-06-02 20:31:04 45024 ---ha-w- c:\windows\system32\mlfcache.dat
============= FINISH: 1:22:01.85 ===============
And now for Attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/23/2007 7:02:13 PM
System Uptime: 8/3/2010 11:13:41 PM (2 hours ago)
Motherboard: Dell Inc. | |
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 93 GiB total, 70.905 GiB free.
D: is CDROM (CDFS)
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP714: 4/24/2010 9:17:54 AM - System Checkpoint
RP715: 4/25/2010 9:31:25 AM - System Checkpoint
RP716: 4/26/2010 1:00:15 PM - System Checkpoint
RP717: 4/27/2010 1:34:05 PM - System Checkpoint
RP718: 4/28/2010 2:06:57 PM - System Checkpoint
RP719: 4/29/2010 3:42:21 PM - System Checkpoint
RP720: 4/30/2010 3:51:05 PM - System Checkpoint
RP721: 5/1/2010 3:55:43 PM - System Checkpoint
RP722: 5/2/2010 4:00:18 PM - System Checkpoint
RP723: 5/4/2010 12:46:07 PM - System Checkpoint
RP724: 5/5/2010 1:51:17 PM - System Checkpoint
RP725: 5/6/2010 1:52:44 PM - System Checkpoint
RP726: 5/7/2010 2:10:41 PM - System Checkpoint
RP727: 5/8/2010 3:06:58 PM - System Checkpoint
RP728: 5/10/2010 9:38:51 AM - System Checkpoint
RP729: 5/11/2010 10:12:30 AM - System Checkpoint
RP730: 5/12/2010 12:39:17 PM - System Checkpoint
RP731: 5/13/2010 10:09:18 PM - System Checkpoint
RP732: 5/14/2010 11:19:27 PM - System Checkpoint
RP733: 5/16/2010 11:21:23 AM - System Checkpoint
RP734: 5/17/2010 3:33:07 PM - System Checkpoint
RP735: 5/18/2010 3:58:03 PM - System Checkpoint
RP736: 5/20/2010 2:39:50 PM - System Checkpoint
RP737: 5/21/2010 3:05:36 PM - System Checkpoint
RP738: 5/23/2010 12:13:18 PM - System Checkpoint
RP739: 5/24/2010 4:07:34 PM - System Checkpoint
RP740: 5/26/2010 12:04:30 AM - System Checkpoint
RP741: 5/27/2010 1:58:57 AM - System Checkpoint
RP742: 5/28/2010 8:12:21 AM - System Checkpoint
RP743: 5/29/2010 9:20:01 AM - System Checkpoint
RP744: 5/30/2010 10:25:39 AM - System Checkpoint
RP745: 5/31/2010 11:14:08 AM - System Checkpoint
RP746: 6/1/2010 11:33:40 AM - System Checkpoint
RP747: 6/2/2010 5:38:41 PM - System Checkpoint
RP748: 6/4/2010 10:27:21 AM - System Checkpoint
RP749: 6/5/2010 10:31:05 AM - System Checkpoint
RP750: 6/6/2010 11:09:51 AM - System Checkpoint
RP751: 6/7/2010 12:00:23 PM - System Checkpoint
RP752: 6/8/2010 2:52:40 PM - System Checkpoint
RP753: 6/9/2010 2:56:00 PM - System Checkpoint
RP754: 6/10/2010 3:11:41 PM - System Checkpoint
RP755: 6/11/2010 3:35:52 PM - System Checkpoint
RP756: 6/12/2010 3:51:42 PM - System Checkpoint
RP757: 6/13/2010 6:05:24 PM - System Checkpoint
RP758: 6/14/2010 6:11:00 PM - System Checkpoint
RP759: 6/16/2010 12:58:42 AM - System Checkpoint
RP760: 6/17/2010 11:18:36 AM - System Checkpoint
RP761: 6/18/2010 4:05:17 PM - System Checkpoint
RP762: 6/21/2010 5:35:22 PM - System Checkpoint
RP763: 6/22/2010 9:59:08 PM - System Checkpoint
RP764: 6/24/2010 11:11:40 AM - System Checkpoint
RP765: 6/26/2010 12:13:31 AM - System Checkpoint
RP766: 6/26/2010 1:46:30 PM - Installed Cricket Broadband Connect
RP767: 6/27/2010 10:30:53 PM - System Checkpoint
RP768: 6/29/2010 10:40:24 PM - System Checkpoint
RP769: 7/1/2010 8:35:18 PM - System Checkpoint
RP770: 7/2/2010 8:43:35 PM - System Checkpoint
RP771: 7/4/2010 12:24:34 PM - System Checkpoint
RP772: 7/5/2010 12:27:40 PM - System Checkpoint
RP773: 7/6/2010 2:59:08 PM - System Checkpoint
RP774: 7/7/2010 3:43:35 PM - System Checkpoint
RP775: 7/8/2010 6:22:43 PM - System Checkpoint
RP776: 7/9/2010 10:57:18 PM - System Checkpoint
RP777: 7/11/2010 9:25:51 AM - System Checkpoint
RP778: 7/12/2010 9:41:59 AM - System Checkpoint
RP779: 7/13/2010 9:51:30 AM - System Checkpoint
RP780: 7/14/2010 3:39:42 PM - System Checkpoint
RP781: 7/15/2010 6:36:37 PM - System Checkpoint
RP782: 7/17/2010 10:49:40 AM - System Checkpoint
RP783: 7/18/2010 1:44:40 PM - System Checkpoint
RP784: 7/20/2010 11:56:32 AM - System Checkpoint
RP785: 7/21/2010 4:58:27 PM - System Checkpoint
RP786: 7/22/2010 7:05:58 PM - System Checkpoint
==== Hosts File Hijack ======================
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
==== Installed Programs ======================
32 Bit HP CIO Components Installer
a-squared Free 4.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
Avanquest update
avast! Free Antivirus
BCM V.92 56K Modem
Before You Know It 3.6
BitTorrent
Broadcom 440x 10/100 Integrated Controller
BufferChm
Compatibility Pack for the 2007 Office system
Cricket Broadband Connect
D2500
D2500_Help
Dell ResourceCD
DeviceDiscovery
DeviceManagementQFolder
DJ_SF_03_D2500_ProductContext
DJ_SF_03_D2500_Software
DJ_SF_03_D2500_Software_Min
DNA
ERUNT 1.1j
eSupportQFolder
Google Chrome
GPBaseService
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Deskjet D2500 Printer Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPProductAssistant
Jasc Animation Shop 3
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Linksys WUSB100 RangePlus Wireless USB Adapter
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile PhoneTools
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Online Armor 3.0
PANTECH USB Modem V2
PowerDVD
Project64 1.6
QuickTime
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SmartWebPrintingOC
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Status
Toolbox
TrayApp
UnloadSupport
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6f
WebFldrs XP
WebReg
Windows Communication Foundation
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB839210
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR
XML Paper Specification Shared Components Pack 1.0
Yahoo! Software Update
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
8/2/2010 11:19:40 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT OADevice OAmon OAnet OMCI RasAcd Rdbss Tcpip tcpipBM
8/2/2010 11:19:40 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/2/2010 11:19:40 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/2/2010 11:19:40 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/2/2010 11:19:40 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/2/2010 11:18:37 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/29/2010 6:58:13 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\AvastUI.exe. Reference error message: The operation completed successfully. .
7/29/2010 6:56:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/29/2010 6:29:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/29/2010 6:23:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi Fips intelppm OADevice OMCI
7/29/2010 6:07:05 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 892963b0, parameter3 89296524, parameter4 80605688.
7/29/2010 6:06:59 PM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 b1377646, parameter3 f78bebd8, parameter4 f78be8d4.
7/29/2010 6:06:20 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
7/29/2010 6:06:20 PM, error: SideBySide [59] - Generate Activation Context failed for C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe. Reference error message: The operation completed successfully. .
7/29/2010 6:06:20 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
7/29/2010 6:06:09 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
7/29/2010 6:04:46 PM, error: Service Control Manager [7022] - The Online Armor service hung on starting.
7/29/2010 5:35:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
7/29/2010 5:33:06 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/29/2010 5:28:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi Fips IntelIde intelppm OADevice ohci1394 OMCI
7/29/2010 5:27:24 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/29/2010 3:12:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm OADevice OMCI
==== End Of File ===========================
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
In my downloads folder, there are now a bunch of files that end in "-crack.exe". The names begin with the names of programs/files on my computer, such as "Microsoft Office-crack.exe" and "Tall Emu-crack.exe" and "Jasc Software Inc-crack.exe". I do not know what these mean or if they are dangerous. These are illegal cracked copies of these program, they where downloaded and installed by either you or someone you authorized to use your computer. Please read BEFORE YOU POST and you will see we cant help you unless these programs are uninstalled.
You need to remove you Peer to Peer also, between downloading illegal software and using P2P its a wonder your infected.
If you dont agree to remove them all then this thread will be closed, if you do agree than remove then and run this scan
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
Ken, thank you for replying.
I'm willing to remove my peer-to-peer software and anything I've downloaded illegally (mostly movies). But the problem is, most of the stuff in that folder that ends in "-crack.exe" is stuff that I purchased legally and have every right to use. For example, Microsoft Office and Jasc Software Inc., I bought those fair and square; I had them bundled with my computer when I first bought it. Am I going to have to remove those even though I have a right to use them?
Will wait for your reply before I run OTL.
Sorry, meant to put this as well but I can't seem to figure out how to edit my post.
I wanted to add that it's either stuff I purchased legally or stuff that I downloaded as freeware.
Hi,
Run this scan please
Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
Thanks Ken. Here's the results from that scan:
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\rebel\my documents\downloads\adobe-crack.exe
c:\documents and settings\rebel\my documents\downloads\alwil software-crack.exe
c:\documents and settings\rebel\my documents\downloads\ati technologies-crack.exe
c:\documents and settings\rebel\my documents\downloads\audacity-crack.exe
c:\documents and settings\rebel\my documents\downloads\audible-crack.exe
c:\documents and settings\rebel\my documents\downloads\avanquest update-crack.exe
c:\documents and settings\rebel\my documents\downloads\bittorrent-crack.exe
c:\documents and settings\rebel\my documents\downloads\broadcom-crack.exe
c:\documents and settings\rebel\my documents\downloads\common files-crack.exe
c:\documents and settings\rebel\my documents\downloads\complus applications-crack.exe
c:\documents and settings\rebel\my documents\downloads\cricket broadband connect-crack.exe
c:\documents and settings\rebel\my documents\downloads\cyberlink-crack.exe
c:\documents and settings\rebel\my documents\downloads\dell computer-crack.exe
c:\documents and settings\rebel\my documents\downloads\dell-crack.exe
c:\documents and settings\rebel\my documents\downloads\divx-crack.exe
c:\documents and settings\rebel\my documents\downloads\dna-crack.exe
c:\documents and settings\rebel\my documents\downloads\hp-crack.exe
c:\documents and settings\rebel\my documents\downloads\installshield installation information-crack.exe
c:\documents and settings\rebel\my documents\downloads\intel-crack.exe
c:\documents and settings\rebel\my documents\downloads\internet explorer-crack.exe
c:\documents and settings\rebel\my documents\downloads\jasc software inc-crack.exe
c:\documents and settings\rebel\my documents\downloads\java-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft activesync-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft capicom 2.1.0.2-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft frontpage-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft office-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft silverlight-crack.exe
c:\documents and settings\rebel\my documents\downloads\minefield-crack.exe
c:\documents and settings\rebel\my documents\downloads\movie maker-crack.exe
c:\documents and settings\rebel\my documents\downloads\mozilla firefox-crack.exe
c:\documents and settings\rebel\my documents\downloads\msbuild-crack.exe
c:\documents and settings\rebel\my documents\downloads\msecache-crack.exe
c:\documents and settings\rebel\my documents\downloads\msn gaming zone-crack.exe
c:\documents and settings\rebel\my documents\downloads\msxml 6.0-crack.exe
c:\documents and settings\rebel\my documents\downloads\netmeeting-crack.exe
c:\documents and settings\rebel\my documents\downloads\online services-crack.exe
c:\documents and settings\rebel\my documents\downloads\outlook express-crack.exe
c:\documents and settings\rebel\my documents\downloads\pantech-crack.exe
c:\documents and settings\rebel\my documents\downloads\quicktime-crack.exe
c:\documents and settings\rebel\my documents\downloads\reference assemblies-crack.exe
c:\documents and settings\rebel\my documents\downloads\roxio-crack.exe
c:\documents and settings\rebel\my documents\downloads\tall emu-crack.exe
c:\documents and settings\rebel\my documents\downloads\uninstall information-crack.exe
c:\documents and settings\rebel\my documents\downloads\videolan-crack.exe
c:\documents and settings\rebel\my documents\downloads\windows media player-crack.exe
c:\documents and settings\rebel\my documents\downloads\windows nt-crack.exe
c:\documents and settings\rebel\my documents\downloads\windowsupdate-crack.exe
c:\documents and settings\rebel\my documents\downloads\winrar-crack.exe
c:\documents and settings\rebel\my documents\downloads\xerox-crack.exe
c:\documents and settings\rebel\my documents\downloads\yahoo!-crack.exe
c:\program files\jasc software inc\paint shop pro 8\bump maps\cracked desert.pspimage
c:\program files\jasc software inc\paint shop pro 8\patterns\cracked paint.pspimage
c:\program files\jasc software inc\paint shop pro 8\picture frames\black crackle.pspframe
scanner sequence 3.ZZ.11
----- EOF -----
As far as I know, none of these were illegal downloads on my part. Everything was either purchased or downloaded for free.
Where did you purchase this computer ?
Wondering if malware renamed those files.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
I already had MalWareBytes on my computer, but I updated it before doing this latest scan.
Here's the results:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4413
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180
8/10/2010 12:27:41 PM
mbam-log-2010-08-10 (12-27-41).txt
Scan type: Quick scan
Objects scanned: 141173
Time elapsed: 9 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\evgratsm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvxqmtre (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\launch.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logg.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me457652.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me493391.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me539874.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me619684.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me794827.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me905652.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Hi,
Lets do this
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Okay, Combofix log first, then HJT.
ComboFix 10-08-09.03 - Rebel 08/10/2010 14:46:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1625 [GMT -4:00]
Running from: c:\documents and settings\Rebel\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
c:\documents and settings\All Users.WINDOWS\Application Data\hpe2E3.dll
c:\documents and settings\Rebel\Application Data\Microsoft\download.exe
c:\documents and settings\Rebel\Application Data\SQLite3.dll
C:\ntldr.exe
c:\program files\Internet Explorer\SET1F04.tmp
c:\program files\Internet Explorer\SET1F09.tmp
c:\windows\system\wizmo .exe
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lluuiaii.ini
c:\windows\system32\net.bat
c:\windows\system32\net.vbs
c:\windows\system32\Process.exe
c:\windows\system32\s4c.vbs
c:\windows\system32\simuwjmx.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wdbxuuef.ini
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.
2010-08-04 05:19 . 2010-08-04 05:19 -------- d-----w- c:\program files\ERUNT
2010-07-30 00:53 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-30 00:53 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-30 00:52 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-30 00:52 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-30 00:52 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-30 00:52 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-30 00:52 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-30 00:52 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 00:52 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-29 22:13 . 2010-07-29 22:13 -------- d-----w- c:\program files\Trend Micro
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\program files\Alwil Software
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-07-21 19:28 . 2010-07-21 19:28 123041 ----a-w- C:\RunFirst.exe
2010-07-21 19:23 . 2010-07-22 22:03 456 ----a-w- c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 18:51 . 2008-10-07 20:33 -------- d-----w- c:\program files\DNA
2010-08-10 18:51 . 2008-10-07 20:33 -------- d-----w- c:\documents and settings\Rebel\Application Data\DNA
2010-08-10 16:13 . 2007-07-23 23:46 -------- d-----w- c:\documents and settings\Rebel\Application Data\BitTorrent
2010-08-04 17:25 . 2007-07-24 17:48 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 00:49 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\Rebel\Application Data\OnlineArmor
2010-07-29 22:07 . 2007-07-23 23:05 53104 ----a-w- c:\documents and settings\Rebel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-29 21:34 . 2009-09-07 23:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-07-29 21:33 . 2007-07-23 23:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-29 21:26 . 2005-08-24 11:14 -------- d-sh--r- c:\documents and settings\Rebel\Application Data\Winlog
2010-07-23 01:14 . 2009-09-12 02:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-06-28 02:54 . 2010-06-26 17:46 -------- d-----w- c:\program files\Cricket Broadband Connect
2010-06-28 02:54 . 2010-06-28 02:54 -------- d-----w- c:\program files\Avanquest update
2010-06-28 02:42 . 2010-06-26 17:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2010-06-28 02:08 . 2010-06-28 02:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG
2010-06-28 01:54 . 2010-06-28 01:48 157142 ----a-w- c:\windows\hphins25.dat
2010-06-28 01:53 . 2010-06-28 01:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2010-06-28 01:52 . 2010-06-28 01:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Product Assistant
2010-06-28 01:52 . 2007-09-13 16:14 -------- d-----w- c:\program files\HP
2010-06-28 01:51 . 2010-06-28 01:51 -------- d-----w- c:\program files\Common Files\HP
2010-06-28 01:51 . 2010-06-28 01:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2010-06-26 17:46 . 2010-06-26 17:46 -------- d-----w- c:\program files\Common Files\Avanquest software Shared
2010-06-26 13:05 . 2009-12-15 16:29 -------- d-----w- c:\program files\Minefield
2010-06-26 03:57 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
2010-06-26 03:55 . 2009-03-14 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 01:51 . 2009-12-22 04:11 -------- d-----w- c:\documents and settings\Rebel\Application Data\mIRC
2010-06-02 20:31 . 2010-06-02 20:31 45024 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-28 11:34 . 2010-05-28 11:34 503808 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcp71.dll
2010-05-28 11:34 . 2010-05-28 11:34 499712 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\jmc.dll
2010-05-28 11:34 . 2010-05-28 11:34 348160 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcr71.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-12-15 323392]
"Google Update"="c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-31 136176]
"Windows Java Runtime"="c:\documents and settings\Rebel\java.jar" [2010-07-23 18160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 01:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\desktop\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-01 13:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Desktop\\a-squared Free\\a2service.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20648:TCP"= 20648:TCP:*:Disabled:BitComet 20648 TCP
"20648:UDP"= 20648:UDP:*:Disabled:BitComet 20648 UDP
"58216:TCP"= 58216:TCP:Utorrent port
"32924:UDP"= 32924:UDP:utorrentport 2
"32924:TCP"= 32924:TCP:utorrentport3
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2010 8:53 PM 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/8/2009 10:14 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/8/2009 10:14 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/8/2009 10:14 PM 28872]
R2 a2free;a-squared Free Service;c:\desktop\a-squared Free\a2service.exe [3/8/2009 10:13 PM 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2010 8:53 PM 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/8/2009 10:14 PM 1402568]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys --> c:\windows\system32\DRIVERS\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys --> c:\windows\system32\DRIVERS\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys --> c:\windows\system32\DRIVERS\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys --> c:\windows\system32\DRIVERS\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys --> c:\windows\system32\DRIVERS\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys --> c:\windows\system32\DRIVERS\PTUMWVsp.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/8/2009 10:14 PM 3321032]
--- Other Services/Drivers In Memory ---
*Deregistered* - BMLoad
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}]
c:\documents and settings\Rebel\Application Data\svchost.exe [BU]
.
Contents of the 'Scheduled Tasks' folder
2010-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003Core.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
2010-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003UA.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rebel\Application Data\Mozilla\Firefox\Profiles\3idjaz6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BidSlayer - (no file)
MSConfigStartUp-641f3ac0 - c:\windows\system32\wenabebi.dll
MSConfigStartUp-CPM672c095c - c:\windows\system32\fizelugo.dll
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-renemejiyi - c:\windows\system32\vitesona.dll
ActiveSetup-{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6} - c:\documents and settings\Rebel\Application Data\svchost.exe
AddRemove-Yahoo! Software Update - c:\progra~1\Yahoo!\SOFTWA~1\UNINST~1.EXE
AddRemove-{1C336D20-A089-4818-9C56-96AD81BF5A11} - c:\program files\PANTECH\PANTECH USB Modem V2\Uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-10 14:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\BCMSMMSG.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-08-10 14:56:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-10 18:56
Pre-Run: 77,047,287,808 bytes free
Post-Run: 77,218,811,904 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 59506FFE9124AF9EC36B7B78D679C653
HijackThis:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:06:11, on 8/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Desktop\a-squared Free\a2service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Desktop\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Windows Java Runtime] "C:\Documents and Settings\Rebel\java.jar"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Desktop\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Desktop\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185296588953
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Desktop\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 6046 bytes
Hi,
Lets go over a few things.
Utorrent
BitTorrent DNA
You need to uninstall both these programs from Add Remove Programs in the Control Panel. When you use P2P programs, your downloading those files from an unknown source, malware writers are jumping on the band wagon and using programs like these to infect computers. You would be doing your self a big favor by staying away from programs like these, these may be all or partially responsible for the lousy shape your computer was in. I know this Combofix log is confusing to you , but if you look under the open ports section of the log you can see that your firewall is letting things in and out unhindered by anything these programs want to bring in, why have a firewall, its doing you no good :red:
Before we proceed, go and uninstall those programs and then do this, I am sure these files are bad but want to double check before we remove them
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again
C:\RunFirst.exe <--This file
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe <--This file
If the site is busy you can try this one
http://virusscan.jotti.org/en
I'm not sure how to get rid of those programs Ken. Earlier when you asked me to get rid of BitTorrent, I thought I had--I found it under "All Programs" in my Start Menu and clicked "Uninstall". I forgot completely about uTorrent but I figured BitTorrent would be gone.
I did manage to find "DNA" listed under Add/Remove Programs, so I removed that, but I didn't find anything in there about UTorrent. Yet even though I removed "DNA" there is still stuff from BitTorrent in my application data folder, and the same is true of UTorrent, but neither of them seem to have anything left in "Program Files". I deleted everything that I could find associated with them anywhere on my computer, and I also ran a search of my computer looking for them and deleted anything I could find, except those "-crack.exe" things. But how do I know for sure they are completely gone?
Excuse my lack of computer savvy, I just want to make sure I can figure out how to get rid of them completely before I do the next thing.
Thats fine, its important that you upload those files to be checked, we can remove the remnants of the P2P a bit later.
Those cracked programs may just have been renamed by malware, we can look into that later also
The first one:
File name:
RunFirst.exe
Submission date:
2010-08-10 22:17:43 (UTC)
Current status:
queued (#70) queued (#70) analysing finished
Result:
2/ 41 (4.9%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.08.11.00 2010.08.10 -
AntiVir 8.2.4.34 2010.08.10 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2010.08.10 -
Authentium 5.2.0.5 2010.08.10 -
Avast 4.8.1351.0 2010.08.10 -
Avast5 5.0.332.0 2010.08.10 -
AVG 9.0.0.851 2010.08.10 -
BitDefender 7.2 2010.08.10 -
CAT-QuickHeal 11.00 2010.08.10 -
ClamAV 0.96.0.3-git 2010.08.10 -
Comodo 5708 2010.08.10 -
DrWeb 5.0.2.03300 2010.08.10 -
Emsisoft 5.0.0.37 2010.08.10 -
eSafe 7.0.17.0 2010.08.09 -
eTrust-Vet 36.1.7779 2010.08.10 -
F-Prot 4.6.1.107 2010.08.10 -
Fortinet 4.1.143.0 2010.08.10 -
GData 21 2010.08.10 -
Ikarus T3.1.1.87.0 2010.08.10 -
Jiangmin 13.0.900 2010.08.10 -
Kaspersky 7.0.0.125 2010.08.10 -
McAfee 5.400.0.1158 2010.08.10 -
McAfee-GW-Edition 2010.1 2010.08.10 -
Microsoft 1.6004 2010.08.10 -
NOD32 5356 2010.08.10 -
Norman 6.05.11 2010.08.10 -
nProtect 2010-08-10.01 2010.08.10 -
Panda 10.0.2.7 2010.08.10 -
PCTools 7.0.3.5 2010.08.10 -
Prevx 3.0 2010.08.11 Medium Risk Malware Dropper
Rising 22.60.01.04 2010.08.10 -
Sophos 4.56.0 2010.08.10 -
Sunbelt 6713 2010.08.10 -
SUPERAntiSpyware 4.40.0.1006 2010.08.10 -
Symantec 20101.1.1.7 2010.08.10 -
TheHacker 6.5.2.1.341 2010.08.10 -
TrendMicro 9.120.0.1004 2010.08.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.11 -
VBA32 3.12.12.8 2010.08.10 -
ViRobot 2010.8.9.3978 2010.08.10 -
VirusBuster 5.0.27.0 2010.08.10 -
Additional information
Show all
MD5 : 6aad4c91fbae9e7b890ca07383ae3e47
SHA1 : 2b667c51627442243e3caf2eb508294e0cabaa1b
SHA256: 397b29bf9b40465b502fec492adc1e490099e5e42721e03d8c4be3b18e519f40
The second one:
File name:
Run.exe
Submission date:
2010-08-10 22:29:49 (UTC)
Current status:
queued (#146) queued (#146) analysing finished
Result:
0/ 41 (0.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.08.11.00 2010.08.10 -
AntiVir 8.2.4.34 2010.08.10 -
Antiy-AVL 2.0.3.7 2010.08.10 -
Authentium 5.2.0.5 2010.08.10 -
Avast 4.8.1351.0 2010.08.10 -
Avast5 5.0.332.0 2010.08.10 -
AVG 9.0.0.851 2010.08.10 -
BitDefender 7.2 2010.08.10 -
CAT-QuickHeal 11.00 2010.08.10 -
ClamAV 0.96.0.3-git 2010.08.10 -
Comodo 5708 2010.08.10 -
DrWeb 5.0.2.03300 2010.08.10 -
Emsisoft 5.0.0.37 2010.08.10 -
eSafe 7.0.17.0 2010.08.09 -
eTrust-Vet 36.1.7779 2010.08.10 -
F-Prot 4.6.1.107 2010.08.10 -
Fortinet 4.1.143.0 2010.08.10 -
GData 21 2010.08.11 -
Ikarus T3.1.1.87.0 2010.08.10 -
Jiangmin 13.0.900 2010.08.10 -
Kaspersky 7.0.0.125 2010.08.10 -
McAfee 5.400.0.1158 2010.08.10 -
McAfee-GW-Edition 2010.1 2010.08.10 -
Microsoft 1.6004 2010.08.10 -
NOD32 5356 2010.08.10 -
Norman 6.05.11 2010.08.10 -
nProtect 2010-08-10.01 2010.08.10 -
Panda 10.0.2.7 2010.08.10 -
PCTools 7.0.3.5 2010.08.10 -
Prevx 3.0 2010.08.11 -
Rising 22.60.01.04 2010.08.10 -
Sophos 4.56.0 2010.08.10 -
Sunbelt 6713 2010.08.10 -
SUPERAntiSpyware 4.40.0.1006 2010.08.10 -
Symantec 20101.1.1.7 2010.08.10 -
TheHacker 6.5.2.1.341 2010.08.10 -
TrendMicro 9.120.0.1004 2010.08.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.11 -
VBA32 3.12.12.8 2010.08.10 -
ViRobot 2010.8.9.3978 2010.08.10 -
VirusBuster 5.0.27.0 2010.08.10 -
So VirusTotal doesn't show anything for the second one. I tried that one with http://virusscan.jotti.org/en and it didn't find anything either.
Lets look a bit deeper, there was one hit on the first one but I am not a big fan of that site
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:file
C:\RunFirst.exe
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:40 on 11/08/2010 by Rebel (Administrator - Elevation successful)
========== file ==========
C:\RunFirst.exe - File found and opened.
MD5: 6AAD4C91FBAE9E7B890CA07383AE3E47
Created at 19:28 on 21/07/2010
Modified at 19:28 on 21/07/2010
Size: 123041 bytes
Attributes: --a---
FileDescription:
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
OriginalFilename: Win32.exe
InternalName: Win32.exe
LegalCopyright:
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe - File found and opened.
MD5: 873FD1C1E069F4E21F0D18FB62FB9C79
Created at 19:23 on 21/07/2010
Modified at 22:03 on 22/07/2010
Size: 456 bytes
Attributes: --a---
No version information available.
-=End Of File=-
Lets get rid of them both and after running CF again let me know how your system is running
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Collect::
Collect::
C:\RunFirst.exe
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe
Folder::
c:\program files\DNA
c:\documents and settings\Rebel\Application Data\DNA
c:\documents and settings\Rebel\Application Data\BitTorrent
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20648:TCP"=-
"20648:UDP"=-
"58216:TCP"=-
"32924:UDP"=-
"32924:TCP"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ComboFix Log:
ComboFix 10-08-10.06 - Rebel 08/11/2010 10:32:18.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1580 [GMT -4:00]
Running from: c:\documents and settings\Rebel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rebel\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
file zipped: c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe
file zipped: C:\RunFirst.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe
C:\RunFirst.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.
2010-08-10 21:35 . 2010-08-10 21:35 -------- d-----w- c:\documents and settings\Rebel\Application Data\U3
2010-08-10 19:03 . 2010-08-10 19:03 388096 ----a-r- c:\documents and settings\Rebel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-04 05:19 . 2010-08-04 05:19 -------- d-----w- c:\program files\ERUNT
2010-07-30 00:53 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-30 00:53 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-30 00:52 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-30 00:52 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-30 00:52 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-30 00:52 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-30 00:52 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-30 00:52 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 00:52 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-29 22:13 . 2010-07-29 22:13 -------- d-----w- c:\program files\Trend Micro
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\program files\Alwil Software
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 21:30 . 2007-09-13 16:14 -------- d-----w- c:\program files\HP
2010-08-10 21:12 . 2010-06-28 01:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2010-08-10 21:07 . 2010-06-26 17:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2010-08-10 21:07 . 2007-07-23 23:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 17:25 . 2007-07-24 17:48 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 00:49 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\Rebel\Application Data\OnlineArmor
2010-07-29 22:07 . 2007-07-23 23:05 53104 ----a-w- c:\documents and settings\Rebel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-29 21:34 . 2009-09-07 23:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-07-29 21:26 . 2005-08-24 11:14 -------- d-sh--r- c:\documents and settings\Rebel\Application Data\Winlog
2010-07-23 01:14 . 2009-09-12 02:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-06-28 02:54 . 2010-06-28 02:54 -------- d-----w- c:\program files\Avanquest update
2010-06-28 02:08 . 2010-06-28 02:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG
2010-06-28 01:51 . 2010-06-28 01:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2010-06-26 13:05 . 2009-12-15 16:29 -------- d-----w- c:\program files\Minefield
2010-06-26 03:57 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
2010-06-26 03:55 . 2009-03-14 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 01:51 . 2009-12-22 04:11 -------- d-----w- c:\documents and settings\Rebel\Application Data\mIRC
2010-06-02 20:31 . 2010-06-02 20:31 45024 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-28 11:34 . 2010-05-28 11:34 503808 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcp71.dll
2010-05-28 11:34 . 2010-05-28 11:34 499712 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\jmc.dll
2010-05-28 11:34 . 2010-05-28 11:34 348160 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcr71.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-08-10_18.52.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-11 13:24 . 2010-08-11 13:24 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat
+ 2007-04-17 05:45 . 2009-08-06 23:24 44768 c:\windows\system32\wups2.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-08-10 18:54 . 2009-08-06 23:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-08-10 18:54 . 2009-08-06 23:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2004-08-04 10:00 . 2010-08-10 21:31 71448 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-03-22 03:57 71448 c:\windows\system32\perfc009.dat
+ 2007-07-23 22:57 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 10:00 . 2009-08-06 23:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 10:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 10:00 . 2009-08-06 23:24 96480 c:\windows\system32\cdm.dll
+ 2004-08-04 10:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 209632 c:\windows\system32\wuweb.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
+ 2004-08-04 10:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
+ 2004-08-04 10:00 . 2010-08-10 21:31 441422 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-03-22 03:57 441422 c:\windows\system32\perfh009.dat
+ 2007-04-17 05:43 . 2009-08-06 23:23 215920 c:\windows\system32\muweb.dll
+ 2007-07-25 13:11 . 2009-08-06 23:23 274288 c:\windows\system32\mucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-04 10:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-08-10 19:03 . 2010-08-10 19:03 1094656 c:\windows\Installer\ace31.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-31 136176]
"Windows Java Runtime"="c:\documents and settings\Rebel\java.jar" [2010-07-23 18160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\desktop\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-01 13:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Desktop\\a-squared Free\\a2service.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2010 8:53 PM 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/8/2009 10:14 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/8/2009 10:14 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/8/2009 10:14 PM 28872]
R2 a2free;a-squared Free Service;c:\desktop\a-squared Free\a2service.exe [3/8/2009 10:13 PM 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2010 8:53 PM 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/8/2009 10:14 PM 1402568]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys --> c:\windows\system32\DRIVERS\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys --> c:\windows\system32\DRIVERS\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys --> c:\windows\system32\DRIVERS\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys --> c:\windows\system32\DRIVERS\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys --> c:\windows\system32\DRIVERS\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys --> c:\windows\system32\DRIVERS\PTUMWVsp.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/8/2009 10:14 PM 3321032]
--- Other Services/Drivers In Memory ---
*Deregistered* - BMLoad
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}]
c:\documents and settings\Rebel\Application Data\svchost.exe [BU]
.
Contents of the 'Scheduled Tasks' folder
2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003Core.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003UA.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rebel\Application Data\Mozilla\Firefox\Profiles\3idjaz6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 10:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-11 10:38:22
ComboFix-quarantined-files.txt 2010-08-11 14:38
ComboFix2.txt 2010-08-10 18:56
Pre-Run: 77,736,235,008 bytes free
Post-Run: 77,725,990,912 bytes free
- - End Of File - - 4B72D0990FA5E47324CCCF815D64D4C5
HJT Log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:28:36, on 8/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Desktop\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Desktop\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Windows Java Runtime] "C:\Documents and Settings\Rebel\java.jar"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Desktop\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Desktop\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185296588953
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Desktop\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 5837 bytes
One thing to note, Ken, after Combofix ran it wanted to do some kind of analysis online, but at the time, my internet connection wasn't working (which I didn't realize until then), so it told me to try again later, and that a file or something had been created somewhere that would allow me to do this analysis later. Is this something I need to do? If so, where would I find this file and what would I do in order to do this analysis?
Not sure, it may have wanted to analyze the files we removed.
Is your internet working now oK ?
You posted the original Combofix log, I need to see the one you just ran
C:\Combofix.txt <--It should be here, post the one with todays date
Internet's working much better now, yes. But when I first boot my computer up and click Firefox, sometimes it takes forever for the browser window to pop up. And when I first get on the internet, it often takes it a while to "get going" so to speak, but once it gets going it runs fine.
I think that ComboFix log I posted is the right one. It has today's date, it's just not the first date listed.
ComboFix 10-08-10.06 - Rebel 08/11/2010 10:32:18.3.2 - x86
In case I'm wrong, here's the log located at ComboFix.txt. The only problem is I ran ComboFix a couple of times today (I was trying to get it to offer to analyze those files again) so this log isn't going to show those files as deletions.
ComboFix 10-08-10.06 - Rebel 08/11/2010 11:17:13.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1473 [GMT -4:00]
Running from: c:\documents and settings\Rebel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rebel\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.
2010-08-10 21:35 . 2010-08-10 21:35 -------- d-----w- c:\documents and settings\Rebel\Application Data\U3
2010-08-10 19:03 . 2010-08-10 19:03 388096 ----a-r- c:\documents and settings\Rebel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-04 05:19 . 2010-08-04 05:19 -------- d-----w- c:\program files\ERUNT
2010-07-30 00:53 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-30 00:53 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-30 00:52 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-30 00:52 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-30 00:52 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-30 00:52 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-30 00:52 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-30 00:52 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 00:52 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-29 22:13 . 2010-07-29 22:13 -------- d-----w- c:\program files\Trend Micro
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\program files\Alwil Software
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 21:30 . 2007-09-13 16:14 -------- d-----w- c:\program files\HP
2010-08-10 21:12 . 2010-06-28 01:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2010-08-10 21:07 . 2010-06-26 17:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2010-08-10 21:07 . 2007-07-23 23:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 17:25 . 2007-07-24 17:48 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 00:49 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\Rebel\Application Data\OnlineArmor
2010-07-29 22:07 . 2007-07-23 23:05 53104 ----a-w- c:\documents and settings\Rebel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-29 21:34 . 2009-09-07 23:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-07-29 21:26 . 2005-08-24 11:14 -------- d-sh--r- c:\documents and settings\Rebel\Application Data\Winlog
2010-07-23 01:14 . 2009-09-12 02:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-06-28 02:54 . 2010-06-28 02:54 -------- d-----w- c:\program files\Avanquest update
2010-06-28 02:08 . 2010-06-28 02:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG
2010-06-28 01:51 . 2010-06-28 01:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2010-06-26 13:05 . 2009-12-15 16:29 -------- d-----w- c:\program files\Minefield
2010-06-26 03:57 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
2010-06-26 03:55 . 2009-03-14 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 01:51 . 2009-12-22 04:11 -------- d-----w- c:\documents and settings\Rebel\Application Data\mIRC
2010-06-02 20:31 . 2010-06-02 20:31 45024 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-28 11:34 . 2010-05-28 11:34 503808 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcp71.dll
2010-05-28 11:34 . 2010-05-28 11:34 499712 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\jmc.dll
2010-05-28 11:34 . 2010-05-28 11:34 348160 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcr71.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-08-10_18.52.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-11 15:03 . 2010-08-11 15:03 16384 c:\windows\temp\Perflib_Perfdata_4ac.dat
+ 2007-04-17 05:45 . 2009-08-06 23:24 44768 c:\windows\system32\wups2.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-08-10 18:54 . 2009-08-06 23:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-08-10 18:54 . 2009-08-06 23:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2004-08-04 10:00 . 2010-08-10 21:31 71448 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-03-22 03:57 71448 c:\windows\system32\perfc009.dat
+ 2007-07-23 22:57 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 10:00 . 2009-08-06 23:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 10:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 10:00 . 2009-08-06 23:24 96480 c:\windows\system32\cdm.dll
+ 2004-08-04 10:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 209632 c:\windows\system32\wuweb.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
+ 2004-08-04 10:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
+ 2004-08-04 10:00 . 2010-08-10 21:31 441422 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-03-22 03:57 441422 c:\windows\system32\perfh009.dat
+ 2007-04-17 05:43 . 2009-08-06 23:23 215920 c:\windows\system32\muweb.dll
+ 2007-07-25 13:11 . 2009-08-06 23:23 274288 c:\windows\system32\mucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-04 10:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-08-10 19:03 . 2010-08-10 19:03 1094656 c:\windows\Installer\ace31.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-31 136176]
"Windows Java Runtime"="c:\documents and settings\Rebel\java.jar" [2010-07-23 18160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\desktop\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-01 13:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Desktop\\a-squared Free\\a2service.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2010 8:53 PM 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/8/2009 10:14 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/8/2009 10:14 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/8/2009 10:14 PM 28872]
R2 a2free;a-squared Free Service;c:\desktop\a-squared Free\a2service.exe [3/8/2009 10:13 PM 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2010 8:53 PM 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/8/2009 10:14 PM 1402568]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys --> c:\windows\system32\DRIVERS\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys --> c:\windows\system32\DRIVERS\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys --> c:\windows\system32\DRIVERS\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys --> c:\windows\system32\DRIVERS\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys --> c:\windows\system32\DRIVERS\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys --> c:\windows\system32\DRIVERS\PTUMWVsp.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/8/2009 10:14 PM 3321032]
--- Other Services/Drivers In Memory ---
*Deregistered* - BMLoad
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}]
c:\documents and settings\Rebel\Application Data\svchost.exe [BU]
.
Contents of the 'Scheduled Tasks' folder
2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003Core.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003UA.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rebel\Application Data\Mozilla\Firefox\Profiles\3idjaz6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 11:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-11 11:24:35
ComboFix-quarantined-files.txt 2010-08-11 15:24
ComboFix2.txt 2010-08-11 14:59
ComboFix3.txt 2010-08-11 14:38
ComboFix4.txt 2010-08-10 18:56
Pre-Run: 77,776,019,456 bytes free
Post-Run: 77,760,843,776 bytes free
- - End Of File - - 9BAD788FF78A81D0CFC16EFB114F8F56
Please dont run CF on your own anymore, it could damage your system if not run correctly.
Reboot your system and then let me know how things are running in general
It is running better. It takes it a while to get going and it takes a while to load pages, but it's definitely running better than before we started working on it. But it's not as fast as it was, say, 6 months ago.
OK, remember what I said about Combofix, the copy you have will stop working in a few days and if you redownload and run it on your own, this forum, myself and the author sUbs will not be responsible if you damage your system.
Run a free online virus scanner to make sure we didn't miss anything.
Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=066484a16ac93e429525b6286fe32c3e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-13 04:36:24
# local_time=2010-08-13 12:36:24 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1141603 1141603 0 0
# compatibility_mode=768 16777215 100 0 1149333 1149333 0 0
# compatibility_mode=6401 16777214 100 100 0 51598452 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55218
# found=31
# cleaned=0
# scan_time=4576
C:\Documents and Settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\43\556445eb-7b6a17af probably a variant of Win32/Agent.DYXWUMY trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\43\6d41a16b-114e6675 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\61\69bc18bd-7d12cf2e multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Rebel\Desktop\HHHUUUUUUUURRRRRRRR\RecentThings\WARRIORS\Spywarefighters\SmitfraudFix\Process.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lluuiaii.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.bat.vir MSIL/Autorun.N worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.vbs.vir MSIL/Lolmehot.E worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\simuwjmx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wdbxuuef.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP765\A0147607.exe Win32/Shutdown.NAA application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP784\A0151175.exe a variant of MSIL/Injector.Q trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP784\A0151176.exe a variant of MSIL/Injector.Q trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP785\A0151187.exe a variant of Win32/Injector.CMC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156510.exe a variant of Win32/Injector.BEF trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156517.exe a variant of Win32/Injector.CMC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156518.exe a variant of MSIL/Injector.E trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156520.exe Win32/AutoRun.Agent.WW worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156521.vbs MSIL/Autorun.Agent.A worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156522.exe a variant of Win32/Injector.CLX trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156524.exe a variant of Win32/Injector.CMC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156558.vbs MSIL/Autorun.Agent.A worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156790.vbs MSIL/Lolmehot.E worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156791.bat MSIL/Autorun.N worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0159128.vbs MSIL/Autorun.Agent.A worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159619.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159620.bat MSIL/Autorun.N worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159621.vbs MSIL/Lolmehot.E worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159622.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159624.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159629.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
What ESET found where bad entries in your Windows System Restore Program, the files in Qoobox are backups of what Combofix removed and also some bad files in your Java Cache folder.
When we're do we will remove CF and Qoobox will all be removed along with it
This will clear your Java Cache
1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Okay, I've done all that.
Should I run the scanner again (or another scanner) to double-check that all is well?
And also, what to do about those "-crack.exe" files? And when would be a good time for me to get Windows Service Pack 3?
Also, I'm using Avast! as my anti-virus software. I need to start using another one for spyware, malware, and adware, correct? What do you recommend? I used to use Tea Timer but it really got on my nerves, always asking questions (which wouldn't bother me, it's just that I never understood if something was good or bad so I was always afraid to answer). I just need something effective that won't use up my computer's limited resources and will just do the job quietly.
Why don't you do this, these cracked files are just set up files and there in your download folder, why don't you just empty out your download folder
c:\documents and settings\rebel\my documents\downloads <--Just delete everything inside this folder but not the folder itself, leave it all in the Recycle Bin for a day or so . I think they where just put there by malware, whatever you do don't run the setup with any of them.
c:\documents and settings\rebel\my documents\downloads\adobe-crack.exe
c:\documents and settings\rebel\my documents\downloads\alwil software-crack.exe
c:\documents and settings\rebel\my documents\downloads\ati technologies-crack.exe
c:\documents and settings\rebel\my documents\downloads\audacity-crack.exe
c:\documents and settings\rebel\my documents\downloads\audible-crack.exe
c:\documents and settings\rebel\my documents\downloads\avanquest update-crack.exe
c:\documents and settings\rebel\my documents\downloads\bittorrent-crack.exe
c:\documents and settings\rebel\my documents\downloads\broadcom-crack.exe
c:\documents and settings\rebel\my documents\downloads\common files-crack.exe
c:\documents and settings\rebel\my documents\downloads\complus applications-crack.exe
c:\documents and settings\rebel\my documents\downloads\cricket broadband connect-crack.exe
c:\documents and settings\rebel\my documents\downloads\cyberlink-crack.exe
c:\documents and settings\rebel\my documents\downloads\dell computer-crack.exe
c:\documents and settings\rebel\my documents\downloads\dell-crack.exe
c:\documents and settings\rebel\my documents\downloads\divx-crack.exe
c:\documents and settings\rebel\my documents\downloads\dna-crack.exe
c:\documents and settings\rebel\my documents\downloads\hp-crack.exe
c:\documents and settings\rebel\my documents\downloads\installshield installation information-crack.exe
c:\documents and settings\rebel\my documents\downloads\intel-crack.exe
c:\documents and settings\rebel\my documents\downloads\internet explorer-crack.exe
c:\documents and settings\rebel\my documents\downloads\jasc software inc-crack.exe
c:\documents and settings\rebel\my documents\downloads\java-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft activesync-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft capicom 2.1.0.2-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft frontpage-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft office-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft silverlight-crack.exe
c:\documents and settings\rebel\my documents\downloads\minefield-crack.exe
c:\documents and settings\rebel\my documents\downloads\movie maker-crack.exe
c:\documents and settings\rebel\my documents\downloads\mozilla firefox-crack.exe
c:\documents and settings\rebel\my documents\downloads\msbuild-crack.exe
c:\documents and settings\rebel\my documents\downloads\msecache-crack.exe
c:\documents and settings\rebel\my documents\downloads\msn gaming zone-crack.exe
c:\documents and settings\rebel\my documents\downloads\msxml 6.0-crack.exe
c:\documents and settings\rebel\my documents\downloads\netmeeting-crack.exe
c:\documents and settings\rebel\my documents\downloads\online services-crack.exe
c:\documents and settings\rebel\my documents\downloads\outlook express-crack.exe
c:\documents and settings\rebel\my documents\downloads\pantech-crack.exe
c:\documents and settings\rebel\my documents\downloads\quicktime-crack.exe
c:\documents and settings\rebel\my documents\downloads\reference assemblies-crack.exe
c:\documents and settings\rebel\my documents\downloads\roxio-crack.exe
c:\documents and settings\rebel\my documents\downloads\tall emu-crack.exe
c:\documents and settings\rebel\my documents\downloads\uninstall information-crack.exe
c:\documents and settings\rebel\my documents\downloads\videolan-crack.exe
c:\documents and settings\rebel\my documents\downloads\windows media player-crack.exe
c:\documents and settings\rebel\my documents\downloads\windows nt-crack.exe
c:\documents and settings\rebel\my documents\downloads\windowsupdate-crack.exe
c:\documents and settings\rebel\my documents\downloads\winrar-crack.exe
c:\documents and settings\rebel\my documents\downloads\xerox-crack.exe
c:\documents and settings\rebel\my documents\downloads\yahoo!-crack.exe
c:\program files\jasc software inc\paint shop pro 8\bump maps\cracked desert.pspimage <--Delete these
c:\program files\jasc software inc\paint shop pro 8\patterns\cracked paint.pspimage
c:\program files\jasc software inc\paint shop pro 8\picture frames\black crackle.pspframe
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Avast is fine, a nice program. I am going to link you to some free tools to install. The TeaTimer in Spybot does get in your face at times, what you can do is keep Spybot but just don't enable the teatimer, one of the free programs is SpyWareBlaster and does the same thing as the teatimer but not in your face.
I think your clear to go ahead and install Service Pack 3, you can do that by opening IE and to to Tools > Windows Update and download and install all critical updates including SP3 and IE 8, do not install any driver files for other programs
Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 21, if not proceed with the instructions.
Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.
Java SE Runtime Environment (JRE)JRE 6 Update 21 <--The wording is confusing but this is what you need
Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Alright Ken, I downloaded all that stuff and I feel much better about my computer now. It's still a bit slow on startup but I suspect that's due to its age, hard drive size, and amount of memory. I'll read the guides you posted. Is there anything else I need to do?
Looks like your free to go.
You may want to post in our sister site in the windows forum, we all work together, you can link them to this thread if you wish. Just tell them you had some bad infections that we cleaned but your system is a bit slow, they can go through the start up list and maybe sort out a few things that are slowing it down.
http://forums.whatthetech.com/index.php?showforum=119
You have 2GBs of memory which more than adequate for this system, it looks like you have half your hard drive full which is ok but you may have a lot of stuff that you can give the boot to like old programs you dont use anymore, rule of thumb with software you installed, if you haven't used it in 6 months than get rid of it.
Ken :)