View Full Version : Win32.Agent.ieu
Dear Analysts,
Spybot S&D 1.6.2. has found Win32.Agent.Ieu in this file:
c:\windows\services.exe
Spybot can't clean it. After reboot, when logging in to my user, I see two black windows (command prompt like) with command.com being on their title bar. Guess this is the action when the services.exe is restored.
Please help me get rid of this stuff.
My DDS log is bellow. I attach my attach.log zipped as requested.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 23:18:38,56 on 2010.09.09.
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1250.36.1038.18.3063.2450 [GMT 2:00]
AV: ESET NOD32 Antivirus System 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\TBPanel.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ScreenMe\sm_ScreenMe.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
e:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\_EmberDownload\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.hu/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=5369970905&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=hu&q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader hivatkozássúgó: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: bho2gr Class: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - e:\program files\getright\xx2gr.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live bejelentkezési segítség: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\Owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [cFosSpeed] e:\program files\cfosspeed\cFosSpeed.exe
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [Gainward] c:\windows\TBPanel.exe /A
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Siemens SmartSync - ScheduleSync] c:\progra~1\mobile~1\smarts~1\SCHEDU~1.EXE
mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\Owner\start menu\programs\indítópult\sm_Autorun.exe
IE: Download with GetRight - e:\program files\getright\GRdownload.htm
IE: E&xportálás Microsoft Excel formátumba - e:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - e:\program files\getright\GRbrowse.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayyYRIA
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\Owner\applic~1\mozilla\firefox\profiles\fspkjsr9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Owner\application data\mozilla\firefox\profiles\fspkjsr9.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\photodex presenter\npPxPlay.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("editor.use_css", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-4-27 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-4-27 24208]
R1 magicpvt;magicpvt;c:\windows\system32\drivers\magicpvt.sys [2008-8-4 9728]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-4-20 15424]
R1 tvtool;tvtool;c:\program files\tvtool\TVTOOL.SYS [1996-4-3 5248]
R2 aawservice;Ad-Aware 2007 Service;e:\program files\lavasoft\ad-aware 2007\aawservice.exe [2010-2-10 607576]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2009-7-19 57344]
R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-2-9 219360]
R2 cmdAgent;COMODO Firewall Pro Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-4-27 519936]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-16 54752]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2008-4-20 552064]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-6-19 14976]
R3 cdiport;cdiport;c:\windows\system32\drivers\cdiport.sys [2008-5-26 72320]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-2-9 1390976]
S0 nullcd;nullcd;c:\windows\system32\drivers\nullcd.sys --> c:\windows\system32\drivers\nullcd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-6 135664]
S2 OkiPar;OkiPar;c:\windows\system32\drivers\OkiPar.Sys [2001-10-2 40192]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 AdWatchDrv;AW Realtime Driver;c:\windows\system32\drivers\AWRTPD.sys [2007-7-11 6272]
S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [2010-3-6 39632]
S3 fsssvc;Windows Live Családbiztonság szolgáltatás;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-2-24 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-2-24 8320]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-10 14424]
S3 pccsmcfd;PCCS Mode Change Filter Driver;c:\windows\system32\drivers\pccsmcfd.sys [2010-1-9 18816]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
=============== Created Last 30 ================
2010-09-08 20:29:12 0 d-----w- c:\windows\system32\hu-hu
2010-09-08 20:25:06 0 d--h--w- c:\windows\$hf_mig$
2010-09-08 20:24:59 294912 -c----w- c:\windows\system32\dllcache\msctf.dll
2010-09-08 20:21:06 0 d-----w- c:\program files\MSECache
2010-09-08 12:15:55 54156 ---ha-w- c:\windows\QTFont.qfn
2010-09-08 12:15:55 1409 ----a-w- c:\windows\QTFont.for
2010-09-08 10:43:42 71286 ----a-w- C:\Quantis_utalas.pdf
2010-09-06 13:36:02 0 d-----w- c:\program files\DigiLabor 3
2010-09-05 20:32:27 0 d-----w- c:\docume~1\alluse~1.win\applic~1\ACD Systems
2010-09-05 20:32:24 0 d-----w- c:\program files\ACD Systems
2010-09-02 19:24:32 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Symantec
2010-09-02 19:24:32 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Norton
2010-09-02 19:24:30 0 d-----w- c:\docume~1\alluse~1.win\applic~1\NortonInstaller
2010-09-02 16:42:07 0 d-----w- C:\divx
2010-09-02 16:27:56 0 d-----w- c:\program files\common files\DivX Shared
2010-09-02 16:27:24 0 d-----w- c:\program files\DivX
2010-09-02 16:26:50 0 d-----w- c:\docume~1\alluse~1.win\applic~1\DivX
2010-09-02 14:45:21 0 d-----w- C:\output media
2010-09-02 14:42:35 164352 ----a-w- c:\windows\system32\unrar.dll
2010-09-02 14:42:29 860160 ----a-w- c:\windows\system32\lameACM.acm
2010-09-02 14:42:29 414 ----a-w- c:\windows\system32\lame_acm.xml
2010-09-02 14:42:29 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-09-02 14:42:29 118784 ----a-w- c:\windows\system32\ac3acm.acm
2010-09-02 14:42:28 755027 ----a-w- c:\windows\system32\xvidcore.dll
2010-09-02 14:42:28 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2010-09-02 14:42:28 159839 ----a-w- c:\windows\system32\xvidvfw.dll
2010-09-02 14:42:24 683520 ----a-w- c:\windows\system32\divx.dll
2010-09-02 14:42:23 7680 ----a-w- c:\windows\system32\ff_vfw.dll
2010-09-02 14:42:23 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-09-02 14:42:21 0 d-----w- c:\program files\K-Lite Codec Pack
2010-09-02 14:38:04 34 ---ha-w- c:\windows\system32\Converter_sysquict.dat
2010-09-02 14:28:59 0 d-----w- c:\docume~1\Owner\applic~1\AnvSoft
2010-08-31 16:46:07 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-08-31 16:46:07 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-08-29 20:19:30 0 d-----w- c:\program files\Photodex Presenter
2010-08-29 20:18:22 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Photodex
2010-08-24 23:06:18 0 d-----w- c:\docume~1\alluse~1.win\applic~1\regid.1986-12.com.adobe
==================== Find3M ====================
2010-07-12 17:56:31 36064 ----a-w- c:\docume~1\Owner\applic~1\GDIPFONTCACHEV1.DAT
2007-06-22 20:00:26 892427335 ----a-w- c:\program files\The Bat!.rar
2006-06-25 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2007-12-27 21:01:00 80 --sh--r- c:\windows\system32\5CF081D9D2.dll
============= FINISH: 23:19:06,98 ===============
Blottedisk
2010-09-12, 04:43
Hi Donny,
My name is Blottedisk and I will be helping you with your log. We apologize for the delay in responding to your request for help. Here at Safer-Networking we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools menu to the right of your topic title and selecting "Suscribe to this Thread".
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice. This may cause a delay in response time, but I will do my best to keep it as short as possible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 5 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.
Please bear with me, I will post back to you shortly with instructions.
:thanks:
Blottedisk
2010-09-12, 18:39
Hi again Donny,
The log is showing an unknown .rar file in your program files folder:
c:\program files\The Bat!.rar
Do you recognize it?
Please do the following:
Step 1 | Follow the instructions given in the following topic in order to temporarily disable Spybot's TeaTimer
http://forums.whatthetech.com/index.php?s=&showtopic=96260&view=findpost&p=494214
Step 2 | Please download RootRepeal from one of the following mirrors:
Link 1 (http://ad13.geekstogo.com/RootRepeal.exe)
Link 2 (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Link 3 (http://rootrepeal.psikotick.com/RootRepeal.exe)
--------------------------------------------------------------------
Save it to your desktop
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
Step 3 | Let´s have a look at Spybot´s logfiles. Please navigate to the following location:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
Copy the contents of your last fixes, checks and resident logfiles and paste them in your next reply. You will recognize the last ones because they are dated, in this format:
Checks.yymmdd-hhmm and Fixes.yymmdd-hhmm and Resident.yymmdd-hhmm
Step 4 | Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
--------------------------------------------------------------------
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:dir
%programfiles%
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Step 5 | Please go here: http://virusscan.jotti.org/ (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the "Browse" button and navigate to the following files and click Submit:
c:\windows\services.exe
c:\windows\system32\5CF081D9D2.dll
c:\program files\The Bat!.rar
c:\documents and settings\dani\start menu\programs\indítópult\sm_Autorun.exe
Copy the results and paste them here
Note: You will not be able to upload and scan all files at once. You will have to submit and scan each file separately.
Please post back with:
Spybot S&D logs
RootRepeal log
Systemlook Log
jotti's results for each file
Dear Blottedisk,
No apologies needed, you guys are a help of last resort to me and a lot of people, and the service is for free, so thanks in advance.
As for my little problem.
To your questions.
1, The Bat!.rar is a 871 megabyte compressed backup file. The Bat! is my preferred e-mail client and this file contains several thousand e-mails saved for a few years (file date is 2007). Also, it contains email attachments which can be messy sometimes, but I guess this file will not harm me directly, and the possible malware or viruses in it are so old that any decent resident scanner should find them immediatelly (like Nod32 that I'm running). I'm telling you this as I can't upload this to Jotti's scanner, its over the 20 megabyte limit.
2, sm_autorun.exe is a screensaver program called Sreen Meditation, should be OK, but I run it through Jotti's scanner as you requested to make sure.
Now for the logs. I post here what I can and I attach my Spybot logs to this post. I included not only the last logs but a few days back. I updated Spybot on 9th September after a long time of not using it, so it might be interesting to you what it found before sticking with this services.exe file.
As for the systemlook log, I post here 2 logs as I have a "Program files" directory in two drives. "C" is the default which is the first systemlook log as you can see.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/12 23:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB61DE000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE44000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB588E000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\WINDOWS\services.exe
Status: Locked to the Windows API!
SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f1c8c
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f13c4
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f18a0
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f243c
#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f1080
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f3084
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f1e72
#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f0c50
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f20b8
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f2268
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f0b02
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f2d24
#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f1ab0
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f0822
#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f1744
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f09aa
#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f27f2
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f1196
#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f2ae6
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f2ec4
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f2602
#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f15d2
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f1638
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f0f4a
#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb63f0e18
==EOF==
SystemLook 04.09.10 by jpshortstuff
Log created at 23:48 on 12/09/2010 by Owner
Administrator - Elevation successful
========== dir ==========
C:\Program Files - Parameters: "(none)"
---Files---
The Bat!.rar --a---- 892427335 bytes [19:46 22/06/2007] [20:00 22/06/2007]
---Folders---
Abev 2006 d------ [21:15 29/03/2007]
abevjava d------ [06:15 20/05/2009]
Absolutist.com d------ [19:46 01/06/2007]
ACD Systems d------ [20:32 05/09/2010]
Active File Compare d------ [07:03 18/04/2009]
activePDF d------ [12:59 01/12/2007]
Adobe d------ [20:52 15/05/2007]
Adobe Media Player d------ [22:58 24/08/2010]
AGEIA Technologies d------ [09:56 13/04/2008]
Ahead d------ [16:10 20/04/2010]
Alien Skin d------ [07:27 19/07/2009]
AMP WinOFF d------ [21:29 17/06/2007]
Apple Software Update d------ [19:27 23/07/2007]
ArcSoft d------ [20:09 09/03/2009]
Astrologos_4_free d------ [19:46 21/02/2009]
ASUS d------ [10:05 09/02/2010]
ATI Catalyst Control Center d------ [20:08 04/05/2007]
BFG d------ [10:12 30/12/2007]
BSplayer d------ [20:43 19/05/2007]
ca d------ [20:39 19/05/2007]
Canon d------ [09:12 18/05/2007]
CaptureText.com d------ [16:04 20/12/2009]
Catalyst d------ [19:19 15/05/2007]
Catan d------ [10:12 30/12/2007]
CDBurnerXP d------ [12:59 28/05/2010]
CeWe Color d------ [11:15 22/06/2007]
Common Files d------ [23:27 28/12/2006]
Comodo d------ [12:04 02/09/2007]
ComPlus Applications d------ [01:11 29/12/2006]
DC++ d------ [22:34 18/05/2007]
DeviceVM d--h--- [10:02 09/02/2010]
DIFX d------ [11:38 09/01/2010]
DigiLabor 3 d------ [13:36 06/09/2010]
DivX d------ [16:27 02/09/2010]
Dragon Jumper d------ [19:40 01/06/2007]
DVD Identifier d------ [18:19 14/09/2009]
DVDInfoPro d------ [16:53 02/02/2008]
EL-WIN-USB d------ [14:49 08/01/2008]
epson d------ [20:11 17/09/2008]
ERUNT d------ [21:15 09/09/2010]
ESET d------ [19:14 20/04/2008]
FlashGet d------ [07:32 14/03/2008]
Foxit Software d------ [04:20 11/09/2010]
FrameMaster2 d------ [04:45 22/06/2007]
GameFace Messenger d------ [20:14 07/02/2008]
Google d------ [20:14 18/05/2007]
GSpot d------ [09:58 27/05/2007]
Hewlett-Packard d------ [17:32 21/05/2007]
IKEA HomePlanner d------ [19:37 01/01/2009]
Imagenomic d------ [06:52 15/08/2009]
InstallShield Installation Information d--h--- [19:20 15/05/2007]
Intel d------ [09:58 09/02/2010]
Internet Explorer d------ [01:12 29/12/2006]
Java d------ [16:42 21/06/2007]
K-Lite Codec Pack d------ [14:42 02/09/2010]
Kodak d------ [18:51 28/11/2007]
MagicRotation d------ [07:33 04/08/2008]
Mental Games d------ [23:43 19/02/2008]
Messenger d------ [01:11 29/12/2006]
Microsec d------ [09:00 10/08/2009]
Microsoft d------ [13:23 16/09/2009]
microsoft frontpage d------ [01:14 29/12/2006]
Microsoft Office d------ [07:06 21/05/2007]
Microsoft Silverlight d------ [13:26 16/09/2009]
Microsoft SQL Server Compact Edition d------ [13:25 16/09/2009]
Microsoft Sync Framework d------ [13:26 16/09/2009]
Microsoft.NET d------ [07:19 08/06/2007]
Mobile Phone Manager d------ [13:20 31/01/2008]
MosaicCreator d------ [07:24 29/09/2007]
Movie Maker d------ [01:13 29/12/2006]
Mozilla Firefox d------ [19:55 15/05/2007]
MSBuild d------ [18:27 24/10/2007]
MSECache d------ [20:21 08/09/2010]
MSI d------ [21:25 15/05/2007]
MSN d------ [01:11 29/12/2006]
MSN Gaming Zone d------ [01:11 29/12/2006]
MSXML 6.0 d------ [11:34 09/01/2010]
Multimedia Card Reader d------ [10:14 09/06/2007]
Neat Image d------ [04:52 22/06/2007]
NetMeeting d------ [01:12 29/12/2006]
Nokia d------ [11:34 09/01/2010]
Oberon d------ [22:11 28/12/2007]
OfficeRecovery d------ [19:28 11/11/2009]
Online Services d------ [01:11 29/12/2006]
Outlook Express d------ [01:12 29/12/2006]
PacShooter d------ [18:26 01/06/2007]
Panasonic d------ [20:02 09/03/2009]
Paragon Software d------ [20:27 26/05/2008]
PC Connectivity Solution d------ [17:21 24/02/2010]
PeerBlock d------ [18:13 10/12/2009]
PeerGuardian2 d------ [11:45 02/09/2007]
Photodex Presenter d------ [20:19 29/08/2010]
PhotoMix Collage d------ [05:12 21/06/2007]
PhotoPrint d------ [16:52 06/02/2010]
QuickTime d------ [19:27 23/07/2007]
Real d------ [20:59 25/12/2007]
Realtek d------ [10:03 09/02/2010]
Realtek AC97 d------ [21:02 15/05/2007]
redlightcenter d------ [04:45 25/07/2007]
Reference Assemblies d------ [18:23 24/10/2007]
RS Green Computing Shutdown Scheduler Demo d------ [22:32 15/06/2007]
Samsung d------ [14:18 02/09/2008]
ScreenMe d------ [21:57 11/08/2008]
SilverFast Application d------ [20:29 17/09/2008]
Skype d------ [08:57 24/10/2008]
Sophos d------ [19:57 24/04/2008]
Spybot - Search & Destroy d------ [18:34 10/06/2007]
SpywareBlaster d------ [21:30 18/06/2007]
Stardock d------ [20:42 05/12/2009]
TBFDropZone d------ [18:02 24/10/2007]
The Bat! d------ [19:40 15/05/2007]
TomaWeb d------ [21:26 30/08/2007]
totalcmd d------ [21:33 28/12/2006]
TVTool d------ [19:20 11/06/2008]
UnH Solutions d------ [18:56 10/08/2007]
Uninstall Information d--h--- [01:18 29/12/2006]
Unlocker d------ [17:47 07/06/2007]
URUSoft d------ [07:08 11/08/2007]
VeryPDF PDF2Word v3.0 d------ [17:06 03/05/2008]
VIA d------ [10:01 09/02/2010]
VirusTotalUploader d------ [21:51 20/04/2008]
Winamp d------ [12:21 13/10/2007]
Windows Live d------ [13:22 16/09/2009]
Windows Live SkyDrive d------ [13:22 16/09/2009]
Windows Media Player d------ [01:12 29/12/2006]
Windows NT d------ [01:11 29/12/2006]
WindowsUpdate d--h--- [01:11 29/12/2006]
WinRAR d------ [15:59 15/05/2007]
WinZip d------ [15:59 15/05/2007]
xerox d------ [01:14 29/12/2006]
-= EOF =-
SystemLook 04.09.10 by jpshortstuff
Log created at 00:08 on 13/09/2010 by Owner
Administrator - Elevation successful
========== dir ==========
e:\program files - Parameters: "(none)"
---Files---
None found.
---Folders---
7tools d------ [11:56 10/02/2010]
ABBYY FineReader 8.0 Professional Edition d------ [11:56 10/02/2010]
Adobe d------ [11:57 10/02/2010]
Agnitum d------ [11:58 10/02/2010]
Ahead d------ [11:58 10/02/2010]
ATI Technologies d------ [11:58 10/02/2010]
AVIJOINER d------ [11:58 10/02/2010]
AvRack d------ [11:58 10/02/2010]
Azureus d------ [11:58 10/02/2010]
C-Media d------ [11:58 10/02/2010]
Canon d------ [11:58 10/02/2010]
cFosSpeed d------ [11:58 10/02/2010]
Common Files d------ [17:59 31/01/2010]
Complex d------ [11:59 10/02/2010]
ComPlus Applications d------ [17:13 31/01/2010]
DC++ d------ [12:00 10/02/2010]
DigiLabor 3 d------ [12:00 10/02/2010]
DOSBox-0.65 d------ [12:00 10/02/2010]
E.M. HD Video Converter d------ [15:13 02/09/2010]
eMule d------ [12:00 10/02/2010]
ESET d------ [12:01 10/02/2010]
Firefox d------ [12:01 10/02/2010]
Free Convert to DIVX AVI WMV MP4 MPEG Converter d------ [14:37 02/09/2010]
GetRight d------ [12:01 10/02/2010]
GlobalSCAPE d------ [12:01 10/02/2010]
Google d------ [12:01 10/02/2010]
GrimFandango d------ [12:01 10/02/2010]
GSpot d------ [12:01 10/02/2010]
IbanQ d------ [12:01 10/02/2010]
InstallShield Installation Information d--h--- [12:01 10/02/2010]
Intel d------ [12:01 10/02/2010]
Internet Explorer d------ [17:13 31/01/2010]
IrfanView d------ [12:01 10/02/2010]
Java d------ [12:01 10/02/2010]
K-Lite Codec Pack d------ [12:01 10/02/2010]
Kala d------ [12:01 10/02/2010]
KasperskyAV7 d------ [12:01 10/02/2010]
KJK-Kerszov d------ [12:01 10/02/2010]
Lame MP3 Codec d------ [12:02 10/02/2010]
Lavasoft d------ [12:02 10/02/2010]
MediaJoin d------ [12:02 10/02/2010]
Messenger d------ [17:12 31/01/2010]
Microsoft ActiveSync d------ [12:02 10/02/2010]
microsoft frontpage d------ [17:16 31/01/2010]
Microsoft Office2003 d------ [12:02 10/02/2010]
Movie Maker d------ [17:13 31/01/2010]
Mozilla Firefox d------ [12:02 10/02/2010]
MP3 Player Utilities 4.07 d------ [12:02 10/02/2010]
MP3 Stream Editor d------ [12:02 10/02/2010]
mp3Trim d------ [12:02 10/02/2010]
MSI d------ [12:02 10/02/2010]
MSN Gaming Zone d------ [17:12 31/01/2010]
MSN Messenger d------ [12:02 10/02/2010]
MSXML 4.0 d------ [12:02 10/02/2010]
muvee Technologies d------ [12:02 10/02/2010]
My Company Name d------ [12:02 10/02/2010]
Nero d------ [12:02 10/02/2010]
NetMeeting d------ [17:13 31/01/2010]
office Convert Pdf to Excel for xls d------ [07:46 16/02/2010]
OfficeXP d------ [12:02 10/02/2010]
Okidata d------ [12:02 10/02/2010]
OLYMPUS d------ [12:02 10/02/2010]
Online Services d------ [17:14 31/01/2010]
OO Software d------ [12:03 10/02/2010]
Outlook Express d------ [17:13 31/01/2010]
PeerGuardian2 d------ [12:03 10/02/2010]
PerformanceTest d------ [22:16 09/02/2010]
Photo Mark_backup d------ [12:03 10/02/2010]
Photodex d------ [20:19 29/08/2010]
PhotoPrint d------ [12:03 10/02/2010]
Pixmantec d------ [12:03 10/02/2010]
PowerQuest d------ [12:03 10/02/2010]
Quark d------ [12:03 10/02/2010]
QuickTime d------ [12:03 10/02/2010]
Realtek AC97 d------ [12:03 10/02/2010]
Realtek Sound Manager d------ [12:03 10/02/2010]
Red Chair Software d------ [12:03 10/02/2010]
RivaTuner v2.09 d------ [12:03 10/02/2010]
Samsung d------ [12:03 10/02/2010]
Setup Files d------ [12:03 10/02/2010]
SilverFast Application d------ [12:03 10/02/2010]
Skype d------ [12:03 10/02/2010]
SONY d------ [12:03 10/02/2010]
The Bat! d------ [12:04 10/02/2010]
Uninstall Information d--h--- [17:19 31/01/2010]
Unlocker d------ [12:05 10/02/2010]
URUSoft d------ [12:05 10/02/2010]
Webteh d------ [12:05 10/02/2010]
Whisper Technology d------ [12:05 10/02/2010]
WinAVIVideoConverter d------ [12:05 10/02/2010]
Windows Media Player d------ [17:12 31/01/2010]
Windows NT d------ [17:12 31/01/2010]
WindowsUpdate d--h--- [17:14 31/01/2010]
WinRAR d------ [12:05 10/02/2010]
WinZip d------ [12:05 10/02/2010]
xerox d------ [17:16 31/01/2010]
XviD d------ [12:05 10/02/2010]
Yahoo! Games d------ [12:05 10/02/2010]
-= EOF =-
Jotti's online scanner:
services.exe
I could not upload the file, it is locked by the system.
Jotti said: "File is empty (0 bytes)! "
The same happened when tryying to upload it to virustotal which I use sometimes, I couldn't.
Filename: 5CF081D9D2.dll
Status:
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sun 12 Sep 2010 23:50:45 (CET) Permalink
Filename: sm_Autorun.exe
Status:
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sun 12 Sep 2010 23:54:22 (CET) Permalink
The Bat!.rar
I could not upload the file, its way over Jotti's limit.
(20 Mb limit, 871 Mb file).
Best regards,
Donny
Hmm. Almost forgot my spybot logs. See attached.
Daniel
Blottedisk
2010-09-14, 03:50
Hi Donny,
Thanks for providing both the set of logs and the information requested (which is very clear, by the way).
We're dealing with a tough infection this time. Please follow the steps below in order:
Step 1 | Temporarily disable ESET Nod32
Double click on the system tray icon: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/ESETti.jpg on the bottom right hand corner.
Select Disable real-time file system protection.
A popup will ask "Are you sure you want to disable...protection?"
Click "Yes" to disable the Antivirus guard.
Step 2 | Temporarily disable Comodo Firewall PRO
Right-click the system tray icon.
Select Exit.
On the Pop up window, Click the Yes button.
You successfully disabled Comodo Firewall.
Step 3 | After disabling your security programs, download Combofix from any of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
--------------------------------------------------------------------
Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Dear Blottedisk,
I have done what you asked. Combofix did some work, I post its log here.
The automatic recovery console installation didn't work, failed to download for some reason.
Please note that Nod32 was disabled as you requested, but it came back on after combofix rebooted my PC. I tried to disable it again during combofix log creation (couldn't) so some of Nod32's activity may appear in the Combofix log for this reason.
ComboFix 10-09-14.01 - Owner 010.09.14. 22:10:12.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.36.1038.18.3063.2414 [GMT 2:00]
Running from: c:\documents and settings\Owner\Asztal\ComboFix.exe
AV: ESET NOD32 Antivirus System 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\_ULAJD~1.TMP
c:\documents and settings\Owner\admin.exe
c:\documents and settings\Owner\Application Data\avdrn.dat
c:\windows\services.exe
c:\windows\system32\Memman.vxd
c:\windows\system32\Microsoft\backup.ftp
c:\windows\system32\Microsoft\backup.tftp
c:\windows\system32\skinboxer43.dll
c:\windows\system32\zip32.dll
c:\windows\Sysvxd.exe
c:\windows\system32\tftp.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 )))))))))))))))))))))))))))))))
.
2010-09-14 09:42 . 2010-09-14 09:42 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{27B0A538-DF16-44D6-820D-D0B042C42C20}
2010-09-14 09:42 . 2009-09-17 15:50 2760720 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{27B0A538-DF16-44D6-820D-D0B042C42C20}\upc optimizer.exe
2010-09-14 09:42 . 2010-09-14 09:42 -------- d-----w- c:\program files\UPC Fiber Power Optimizer
2010-09-14 09:41 . 2010-09-14 09:41 -------- d-----w- c:\documents and settings\Maci\Local Settings\Application Data\PackageAware
2010-09-11 04:20 . 2010-09-11 04:20 -------- d-----w- c:\program files\Foxit Software
2010-09-09 21:15 . 2010-09-09 21:15 -------- d-----w- c:\program files\ERUNT
2010-09-08 20:59 . 2010-08-13 07:13 35136 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fspkjsr9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-09-08 20:59 . 2010-08-13 07:13 32032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fspkjsr9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-09-08 20:29 . 2010-09-08 20:29 -------- d-----w- c:\windows\system32\hu-hu
2010-09-08 20:25 . 2010-09-08 20:26 -------- d--h--w- c:\windows\$hf_mig$
2010-09-08 20:24 . 2008-02-26 12:01 294912 -c----w- c:\windows\system32\dllcache\msctf.dll
2010-09-08 20:21 . 2010-09-08 20:21 -------- d-----w- c:\program files\MSECache
2010-09-06 13:36 . 2010-09-07 22:19 -------- d-----w- c:\program files\DigiLabor 3
2010-09-05 20:32 . 2010-09-05 20:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ACD Systems
2010-09-05 20:32 . 2010-09-05 20:32 -------- d-----w- c:\program files\ACD Systems
2010-09-04 16:23 . 2010-09-04 16:23 452104 ----a-w- c:\documents and settings\Maci\Application Data\Real\Update\setup3.12\setup.exe
2010-09-02 19:24 . 2010-09-02 19:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2010-09-02 19:24 . 2010-09-02 19:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2010-09-02 19:24 . 2010-09-02 19:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NortonInstaller
2010-09-02 16:42 . 2010-09-14 15:21 -------- d-----w- C:\divx
2010-09-02 16:26 . 2010-09-02 16:26 144696 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-09-02 16:26 . 2010-09-02 16:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX
2010-09-02 14:45 . 2010-09-02 14:51 -------- d-----w- C:\output media
2010-09-02 14:42 . 2007-09-04 16:56 164352 ----a-w- c:\windows\system32\unrar.dll
2010-09-02 14:42 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-09-02 14:42 . 2008-05-22 22:22 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2010-09-02 14:42 . 2008-01-10 12:16 159839 ----a-w- c:\windows\system32\xvidvfw.dll
2010-09-02 14:42 . 2008-01-10 12:15 755027 ----a-w- c:\windows\system32\xvidcore.dll
2010-09-02 14:42 . 2008-05-30 23:22 683520 ----a-w- c:\windows\system32\divx.dll
2010-09-02 14:42 . 2008-06-12 18:36 7680 ----a-w- c:\windows\system32\ff_vfw.dll
2010-09-02 14:42 . 2010-09-02 14:42 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-09-02 14:38 . 2010-09-02 14:38 34 ---ha-w- c:\windows\system32\Converter_sysquict.dat
2010-09-02 14:28 . 2010-09-02 14:28 -------- d-----w- c:\documents and settings\Owner\Application Data\AnvSoft
2010-08-31 16:46 . 2001-10-26 17:01 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-08-31 16:46 . 2001-10-26 17:01 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-08-29 20:19 . 2010-08-29 20:19 -------- d-----w- c:\program files\Photodex Presenter
2010-08-29 20:19 . 2010-08-29 20:19 -------- d-----w- c:\documents and settings\Maci\Application Data\Netscape
2010-08-29 20:18 . 2010-08-29 20:18 -------- d-----w- c:\documents and settings\Maci\Application Data\Photodex
2010-08-29 20:18 . 2010-08-29 20:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Photodex
2010-08-25 06:32 . 2010-08-25 06:32 13502 ----a-r- c:\documents and settings\Maci\Application Data\Microsoft\Installer\{AD871377-A1A3-4D7B-AA5E-EB163E1202C6}\ARPPRODUCTICON.exe
2010-08-24 23:06 . 2010-08-24 23:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\regid.1986-12.com.adobe
2010-08-24 22:58 . 2010-08-24 22:58 -------- d-----w- c:\program files\Adobe Media Player
2010-08-24 22:56 . 2010-08-24 22:55 38784 ----a-w- c:\documents and settings\Default User.WINDOWS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-24 22:55 . 2010-08-24 22:55 -------- d-----w- c:\program files\Common Files\Adobe AIR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 15:29 . 2007-05-23 18:15 -------- d-----w- c:\documents and settings\Maci\Application Data\Azureus
2010-09-11 04:40 . 2007-06-21 17:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2010-09-11 04:28 . 2007-05-30 22:49 40344 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-08 22:24 . 2007-05-15 20:50 40344 ----a-w- c:\documents and settings\Maci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-08 20:24 . 2007-06-10 18:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-08 05:43 . 2007-06-10 18:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-09-07 20:16 . 2007-05-18 22:34 -------- d-----w- c:\program files\DC++
2010-09-06 09:29 . 2007-05-15 19:59 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-08-25 06:32 . 2007-11-28 18:51 -------- d-----w- c:\program files\Kodak
2010-08-25 06:27 . 2009-08-15 06:52 -------- d-----w- c:\program files\Imagenomic
2010-08-24 22:59 . 2007-05-15 20:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-21 21:33 . 2008-04-14 18:32 8 ----a-w- c:\windows\system32\nvModes.dat
2010-07-27 17:10 . 2010-06-27 09:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-23 17:05 . 2009-08-15 13:06 -------- d-----w- c:\documents and settings\Maci\Application Data\Imagenomic
2010-07-20 21:54 . 2007-06-17 21:29 -------- d-----w- c:\program files\AMP WinOFF
2010-07-20 18:24 . 2008-08-11 21:57 -------- d-----w- c:\program files\ScreenMe
2007-06-22 20:00 . 2007-06-22 19:46 892427335 ----a-w- c:\program files\The Bat!.rar
2007-12-27 21:01 . 2007-12-27 20:01 80 --sh--r- c:\windows\system32\5CF081D9D2.dll
.
------- Sigcheck -------
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2004-08-03 . 6A603809F598332DBEDD535BDBCE313E . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
[-] 2001-10-26 . E7774698BB0D14B0710A9A31E209F9B6 . 327168 . . [5.1.2600.0] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112]
"cFosSpeed"="e:\program files\cFosSpeed\cFosSpeed.exe" [2006-08-07 815104]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-08-25 139264]
"Gainward"="c:\windows\TBPanel.exe" [2007-06-26 2173480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8466432]
"nwiz"="nwiz.exe" [2007-07-23 1626112]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-20 949376]
"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2008-06-08 1655552]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-13 148888]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-23 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-17 110592]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-08-20 1164584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Maci\Start Menu\Programs\Indˇt˘pult\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\Owner\Start Menu\Programs\Indˇt˘pult\
sm_Autorun.exe [2010-7-20 6656]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008.04.27. 22:23 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008.04.27. 22:23 24208]
R1 magicpvt;magicpvt;c:\windows\system32\drivers\magicpvt.sys [2008.08.04. 9:33 9728]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008.04.20. 21:16 15424]
R1 tvtool;tvtool;c:\program files\TVTool\TVTOOL.SYS [1996.04.03. 20:33 5248]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2009.07.19. 9:27 57344]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [2010.02.09. 12:02 219360]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007.06.19. 0:48 14976]
R3 cdiport;cdiport;c:\windows\system32\drivers\cdiport.sys [2008.05.26. 22:27 72320]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010.02.09. 12:02 1390976]
S0 nullcd;nullcd;c:\windows\system32\Drivers\nullcd.sys --> c:\windows\system32\Drivers\nullcd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009.12.06. 1:58 135664]
S2 OkiPar;OkiPar;c:\windows\system32\drivers\OkiPar.Sys [2001.10.02. 10:54 40192]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 AdWatchDrv;AW Realtime Driver;c:\windows\system32\drivers\AWRTPD.sys [2007.07.11. 14:37 6272]
S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [2010.03.06. 15:55 39632]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010.02.24. 19:20 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010.02.24. 19:20 8320]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009.12.10. 20:13 14424]
S3 pccsmcfd;PCCS Mode Change Filter Driver;c:\windows\system32\drivers\pccsmcfd.sys [2010.01.09. 13:38 18816]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010.02.19. 13:37 517096]
.
Contents of the 'Scheduled Tasks' folder
2010-08-30 c:\windows\Tasks\AdobeAAMUpdater-1.0-OwnerGEP-Maci.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-08-24 01:44]
2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-05 23:58]
2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-05 23:58]
2010-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-920026266-839522115-1004Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-04 09:12]
2010-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-920026266-839522115-1004UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-04 09:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.hu/
uSearchMigratedDefaultURL = hxxp://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=5369970905&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=hu&q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download with GetRight - e:\program files\GetRight\GRdownload.htm
IE: E&xportálás Microsoft Excel formátumba - e:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - e:\program files\GetRight\GRbrowse.htm
LSP: c:\windows\System32\imon.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fspkjsr9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fspkjsr9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Photodex Presenter\npPxPlay.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Notify-AtiExtEvent - (no file)
AddRemove-Skip web road - c:\docume~1\Owner\APPLIC~1\AXISSA~1\bolt mail.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-14 22:24
Windows 5.1.2600 Szervizcsomag 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2000478354-920026266-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{52E4AEB1-EC51-F77A-E214-DD63992D20EF}*]
"dbabnklpojabhbjgflbogglmcfaogdiihglkimbl"=hex:69,61,70,65,6a,6f,6b,63,6f,6f,
6f,66,6b,68,6f,62,65,68,00,00
"cbknomjfmjpbofemkpmeigjhcinciboambpgfi"=hex:6a,61,68,65,68,61,61,6a,6e,62,6a,
67,62,68,6a,6d,6f,6a,6f,6c,00,e1
[HKEY_USERS\S-1-5-21-2000478354-920026266-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F256C93D-B758-ACD7-E815-0762A21AD202}*]
"cbbpeajpchafoiekmnaconiebjfmgadggflbbi"=hex:69,61,6b,64,6c,6e,66,66,66,62,6f,
6d,6a,66,68,65,65,65,00,00
"iadmgfjhjglhldgpno"=hex:61,61,00,00
"habpeajpchafoiek"=hex:61,61,00,00
"iapmgpeibiklmpepcf"=hex:61,61,00,00
"dbdmgfjhjglhldgpnodljjkbamagdeohnomlameb"=hex:69,61,6e,64,6f,6e,61,66,65,61,
68,6f,62,67,64,6b,6e,62,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(764)
c:\windows\System32\imon.dll
c:\program files\Eset\pr_imon.dll
- - - - - - - > 'explorer.exe'(156)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
e:\program files\cFosSpeed\spd.exe
c:\program files\Comodo\Firewall\cmdagent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Eset\nod32krn.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\nvsvc32.exe
e:\program files\Photodex\ProShowProducer\ScsiAccess.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-09-14 22:29:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-14 20:29
Pre-Run: 23*266*836*480 bájt szabad
Post-Run: 31*929*888*768 bájt szabad
- - End Of File - - DCF1DE07E9D681050292F677E19351AD
Blottedisk
2010-09-16, 02:21
Combofix has done a good job. Please do the following:
ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:
KILLALL::
SRPEEK::
C:\Windows\System32\tftp.exe
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as descrived in my previous post. Please also close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **
Dear Blottedisk,
I did what you requested. Combofix rebooted my machine again, which again caused my virus scanner and firewall to become active again while Combofix was making the log.
An unknown program, "PEV.cfxxe" tried to connect to the internet, I blocked the request, but found out from the firewall log later that this attempt was from the temporary "c:\combofix" directory. I hope its not a necessary feature for combofix to connect to the net via this unknown file.
My Combofix log is attached as it is too long. What do you think of it?
Regards,
Donny.
Blottedisk
2010-09-18, 04:03
Hi there,
Don't worry about that file, thanks for letting me know. The log seems clean except for an infected system file that needs to be replaced with a good copy from the Windows CD. Please follow these steps:
Step 1 | Please insert your Windows XP CD into your F: CD-Rom drive. Then:
Go to Start --> Run and type "cmd" (don't include the quotes) and press enter.
A command prompt window will open. Please type the following and then press enter:
expand F:\i386\TFTP.EX_ C:\Windows\System32\tftp.exe Reboot your computer.
Step 2 | Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
--------------------------------------------------------------------
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:file
C:\Windows\System32\tftp.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Dear Blottedisk,
I replaced the tftp.exe file. My systemlook log:
SystemLook 04.09.10 by jpshortstuff
Log created at 11:53 on 21/09/2010 by Dani
Administrator - Elevation successful
========== file ==========
C:\Windows\System32\tftp.exe - File found and opened.
MD5: 415DFF0341F9F0851B2679B5D7B1711F
Created at 12:00 on 26/10/2001
Modified at 09:40 on 21/09/2010
Size: 16896 bytes
Attributes: --a----
FileDescription: TFTP - triviális fájlátviteli protokoll alkalmazása
FileVersion: 5.1.2600.0 (xpclient.010817-1148)
ProductVersion: 5.1.2600.0
OriginalFilename: tftp.exe
InternalName: tftp.exe
ProductName: Microsoft® Windows® operációs rendszer
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. Minden jog fenntartva.
-= EOF =-
Blottedisk
2010-09-21, 17:15
Hi,
Good job :)
Please follow these steps:
Step 1 | Please disable Spybot's TeaTimer. If TeaTimer is already disabled, just skip this step.
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done and reboot your computer.
(When we are done, you can re-enable TeaTimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.
Step 2 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html)
Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel
(using Classic View) and double-click the Java Icon. (looks like a
coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.
Step 3 | Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
Click the Start button in the bottom left of TFC
If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.
Step 4 | Please download Malwarebytes' Anti-Malware (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.besttechie.net%2Ftools%2Fmbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Step 5 | Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan. Note: Internet Explorer should be used.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
Click on My Computer under Scan and then put the kettle on!
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste the report into your next.
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif
Blottedisk
2010-09-26, 18:29
Hi there - Are you still with us?
Dear Bottledisk,
I was collecting my enthusiasm to run the Kaspersky test, which took 12 hours.
I did what you suggested. Here are my logs.
I will not have much trouble removing the files in the Kaspersky log except for the threats built into my The Bat! email clients message base. Its a huge file containing thousands of emails. To delete one of them I would have to know which specific email I'm looking for.
---------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Adatbázis verzió: 4691
Windows 5.1.2600 Szervizcsomag 3
Internet Explorer 7.0.5730.13
2010.09.25. 15:54:05
mbam-log-2010-09-25 (15-54-05).txt
Vizsgálat típusa: Gyorsvizsgálat
Átvizsgált objektumok: 183220
Eltelt idő: 5 perc, 58 másodperc
Fertőzött memóriafolyamatok: 0
Fertőzött memória modulok: 0
Fertőzött Rendszerleíró kulcsok: 3
Fertőzött Rendszerleíró értékek: 2
Fertőzött Rendszerleíró adatelemek: 0
Fertőzött mappák: 0
Fertőzött fájlok: 1
Fertőzött memóriafolyamatok:
(Nem találhatók rosszindulatú elemek)
Fertőzött memória modulok:
(Nem találhatók rosszindulatú elemek)
Fertőzött Rendszerleíró kulcsok:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
Fertőzött Rendszerleíró értékek:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> Quarantined and deleted successfully.
Fertőzött Rendszerleíró adatelemek:
(Nem találhatók rosszindulatú elemek)
Fertőzött mappák:
(Nem találhatók rosszindulatú elemek)
Fertőzött fájlok:
C:\WINDOWS\system32\tftp_suspicious.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
-----------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 27, 2010
Operating system: Microsoft Windows XP Professional Szervizcsomag 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, September 25, 2010 19:24:31
Records in database: 4241278
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\
J:\
K:\
Scan statistics:
Objects scanned: 554512
Threats found: 31
Infected objects found: 73
Suspicious objects found: 2
Scan duration: 12:53:54
File name / Threat / Threats count
C:\Program Files\Catan\Catan.exe Infected: Trojan-Dropper.Win32.Delf.eum 1
C:\Program Files\ESET\infected\0JDUTJBA.NQF Infected: Trojan-PSW.Win32.Dybalom.d 1
C:\Program Files\ESET\infected\2ZXDAODA.NQF Infected: Trojan-Mailfinder.Win32.Agent.ye 1
C:\Program Files\ESET\infected\3LXL2QDA.NQF Infected: Packed.Win32.Zack.a 1
C:\Program Files\ESET\infected\433ZL0CA.NQF Infected: Trojan-Downloader.Win32.Exchanger.fz 1
C:\Program Files\ESET\infected\ALBIIVAA.NQF Infected: not-a-virus:AdWare.Win32.SaveNow.e 1
C:\Program Files\ESET\infected\ALBIIVAA.NQF Infected: not-a-virus:AdWare.Win32.SaveNow.bl 1
C:\Program Files\ESET\infected\ALBIIVAA.NQF Infected: not-a-virus:AdWare.Win32.SaveNow.m 2
C:\Program Files\ESET\infected\CUHSV4CA.NQF Infected: Backdoor.Win32.Sinowal.eee 1
C:\Program Files\ESET\infected\DS1NY4BA.NQF Infected: Backdoor.Win32.Sinowal.eee 1
C:\Program Files\ESET\infected\HRTDVNCA.NQF Infected: Trojan.Win32.JoleeePack.gen 1
C:\Program Files\ESET\infected\JFNUDZAA.NQF Infected: Trojan-Mailfinder.Win32.Agent.ye 1
C:\Program Files\ESET\infected\LJWAJECA.NQF Infected: Trojan-Downloader.Win32.Mutant.amz 1
C:\Program Files\ESET\infected\S2CVJTDA.NQF Infected: P2P-Worm.Win32.Polip.a 1
C:\Program Files\ESET\infected\VQPWDYBA.NQF Infected: Trojan-Downloader.Win32.Agent.bgyi 1
C:\Program Files\ESET\infected\WZU22FBA.NQF Infected: Trojan-Mailfinder.Win32.Agent.ye 1
C:\Program Files\The Bat!\Mail\Dani\ATTACH\00000443.MSG Infected: Trojan.Win32.Agent.cjlh 1
C:\Program Files\The Bat!\Mail\Locsei2\Inbox\MESSAGES.TBB Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\The Bat!\Mail\Locsei2\Trash\MESSAGES.TBB Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\The Bat!\Mail\Principium\Inbox\MESSAGES.TBB Infected: Trojan-Downloader.HTML.Agent.km 1
C:\Program Files\The Bat!\Mail\Principium\Trash\MESSAGES.TBB Infected: Trojan-Downloader.HTML.Agent.km 1
C:\Qoobox\Quarantine\C\Documents and Settings\Dani\admin.exe.vir Infected: Trojan-Downloader.Win32.Agent.bgyi 1
C:\Qoobox\Quarantine\C\WINDOWS\_services_.exe.zip Infected: Trojan.Win32.JoleeePack.gen 1
C:\_Régi gépröl\C\Program Files\KEYKEY\keykey.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 1
C:\_Régi gépröl\C\Program Files\KEYKEY\kkmon.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 1
C:\_Régi gépröl\C\Program Files\KEYKEY\slman.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 1
C:\_Régi gépröl\C\Program Files\KEYKEY\slview.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 1
E:\Mentés\_EmberDownload\kk2000.zip Infected: not-a-virus:Monitor.Win32.KeyKey.121 12
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.g 1
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 1
E:\_Dani_pendrivementés\080528\RR4\VNC\UltraVNC-101-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 2
E:\_EmberDownload\acdsee_pro8__keygen.ZIP Infected: Trojan-Clicker.Win32.VB.gl 1
E:\_EmberDownload\kk2000.zip Infected: not-a-virus:Monitor.Win32.KeyKey.121 12
E:\_EmberDownload\MosaicCreator.3.1.Build.348.Patch.by.AT4RE.zip Infected: not-a-virus:AdWare.Win32.PurityScan.fk 1
E:\_EmberDownload\MosaicCreator.3.1.Build.348.Patch.by.AT4RE.zip Infected: Trojan.Win32.Genome.hrlo 1
E:\_EmberDownload\MosaicCreator.3.1.Build.348.Patch.by.AT4RE.zip Infected: Trojan-Downloader.Win32.Agent.srb 1
E:\_EmberDownload\MosaicCreator.3.1.Build.348.Patch.by.AT4RE.zip Infected: Trojan.Win32.Agent.brpv 1
E:\_EmberDownload\MosaicCreator.3.1.Build.348.Patch.by.AT4RE.zip Infected: Trojan-Downloader.Win32.PurityScan.fy 1
E:\_EmberDownload\SmileyCentralPFSetup2.2.60.11-2.ZNfox000.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
E:\_EmberDownload\UBCD4WinV30.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
E:\_EmberDownload\UBCD4WinV30.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 2
E:\_EmberDownload\UBCD4WinV30.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat.a 1
E:\_EmberDownload\UBCD4WinV30.exe Infected: not-a-virus:PSWTool.Win32.PasswordsPro.dw 1
E:\_EmberDownload\UBCD4WinV30.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
E:\_EmberDownload\UBCD4WinV30.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 2
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.g 1
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 1
Selected area has been scanned.
Blottedisk
2010-09-27, 11:59
Good morning,
I was collecting my enthusiasm to run the Kaspersky test, which took 12 hours.
Don't worry, that's ok. Kaspersky scans can take an incredible ammount of time. I've seen scans of +30 hours :hair:
I will not have much trouble removing the files in the Kaspersky log except for the threats built into my The Bat! email clients message base. Its a huge file containing thousands of emails. To delete one of them I would have to know which specific email I'm looking for.
Thanks for advising. We will see how to get rid of these in the future. Now:
Please run the MGA Diagnostic Tool and post back the report it creates:
Download MGADiag (http://go.microsoft.com/fwlink/?linkid=56062) to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.
Hi.
Here is my MGA log:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-YX87Q-497WD-D7F3Q
Windows Product Key Hash: FlJKn36hy/j6i6scw0A755WZYHU=
Windows Product ID: 55920-640-4698215-23934
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {3BF41D6E-76AD-41A2-9F3B-1E74F98013C7}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office XP Professional és FrontPage - 114 Blocked VLK 2
Microsoft Office Professional Edition 2003 - 108 Invalid VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3BF41D6E-76AD-41A2-9F3B-1E74F98013C7}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-D7F3Q</PKey><PID>55920-640-4698215-23934</PID><PIDType>1</PIDType><SID>S-1-5-21-2000478354-920026266-839522115</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0602 </Version><SMBIOSVersion major="2" minor="6"/><Date>20091113000000.000000+000</Date></BIOS><HWID>D6363BF70184A97E</HWID><UserLCID>040E</UserLCID><SystemLCID>040E</SystemLCID><TimeZone>Közép-európai téli idő(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{9028040E-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Professional és FrontPage</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54892-640-0000025-17264</Pid><PidType>14</PidType></Product><Product GUID="{9011040E-6000-11D3-8CFE-0150048383C9}"><LegitResult>108</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>3D4F50B68B99500</Val><Hash>879hO96bcyU//QVPnUnEhR1nCUU=</Hash><Pid>74012-640-9928894-57746</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="10" Result="114"/><App Id="16" Version="10" Result="114"/><App Id="17" Version="10" Result="114"/><App Id="18" Version="10" Result="114"/><App Id="1A" Version="10" Result="114"/><App Id="1B" Version="10" Result="114"/><App Id="15" Version="11" Result="108"/><App Id="16" Version="11" Result="108"/><App Id="18" Version="11" Result="108"/><App Id="19" Version="11" Result="108"/><App Id="1A" Version="11" Result="108"/><App Id="1B" Version="11" Result="108"/><App Id="44" Version="11" Result="108"/></Applications></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 14330:ASUSTeK Computer Inc|196E1:GENUINE C&C INC
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005
OEM Activation 2.0 Data-->
N/A
Blottedisk
2010-10-06, 02:21
Hi again Donny,
Is there any reason why you have not Validated Windows yet? Windows really needs to get validated or it will get re-infected quickly.
Go to the Microsoft Diagnostics Site (http://www.microsoft.com/genuine/diag/) Note: Internet Explorer should be used.
Click "Start Diagnostics" button. If it shows some items failed, follow the steps to fix it, and click "Try Again".
Then Please visit This website (http://www.microsoft.com/genuine/validate/ValidateNow.aspx?displaylang=en) using Internet Explorer.
Follow the instructions to Validate Windows, then run MGADiag.exe again and post the new log in your next reply.
Let me know how it goes.
Dear Bottledisk,
Even though I have a legitimate license for Windows Xp I choose not to validate it or any other Microsoft product. I don't trust Microsoft data protection and privacy policies and avoid sharing any information with them.
I believe that third party virus scanners and anti-malware tools have always provided better protection than similar Microsoft products so please explain the connection between validation and preventing re-infection.
thanks,
Blottedisk
2010-10-08, 18:08
Hi Donny,
The reason why validation is important for your security, is because it enables you to update your operative system and keep it updated. Updates are a very important part of the security of a computer connected to the Internet as they will patch new security flaws. Just as an example, today we're still seeing Conficker infections, when the vulnerability that the worm exploits was patched by Microsoft in 2008.
I would strongly recommend you to validate your operative system and keep it updated. In any case, please do the following now:
Click the Start button, click run
In the run box type notepad
Click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE:
http://forums.spybot.info/showpost.php?p=384426&postcount=14
Collect::
C:\_Régi gépröl\C\Program Files\KEYKEY\keykey.exe
C:\_Régi gépröl\C\Program Files\KEYKEY\kkmon.exe
C:\_Régi gépröl\C\Program Files\KEYKEY\slman.exe
C:\_Régi gépröl\C\Program Files\KEYKEY\slview.exe
C:\Program Files\Catan\Catan.exe
E:\Mentés\_EmberDownload\kk2000.zip
E:\Mentés\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip
E:\_EmberDownload\acdsee_pro8__keygen.ZIP
E:\_EmberDownload\kk2000.zip
E:\_EmberDownload\MosaicCreator.3.1.Build.348.Patch.by.AT4RE.zip
E:\_EmberDownload\WindowsXp_KeyFinder_ kf151.zip
E:\_EmberDownload\SmileyCentralPFSetup2.2.60.11-2.ZNfox000.exe
Folder::
C:\_Régi gépröl\C\Program Files\KEYKEY
In the notepad click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save.
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
This will start ComboFix again.Close all browser/windows first.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
**Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Blottedisk
2010-10-15, 04:42
Hi,
Are you still there?
Donny this thread has been archived due to inactivity.
As it has been four days or more since your last post, and the helper assisting you posted a response to which you did not reply, your topic will not be re-opened. If you still require help, please start a new topic and include a DDS log with a link to your previous thread.
Please do not add any logs that might have been requested previously, you would be starting fresh.
Applies only to the original poster, anyone else with similar problems please start your own topic.
Thank you Blottedisk. :)