View Full Version : Safer-networking.org blocked, occasionally redirects clicked links & popups
blackjaw
2010-11-08, 21:53
Blocks safer-networking.org and other malware sites
Opens pop ups adds occasionally when links are clicked.
Redirects to adds when links are clicked.
This effects all browsers IE, Firefox, Opera.
System reg backed up.
At loss, any help appreciated. :confused:
DDS (Ver_10-11-08.01) - NTFSx86 NETWORK
Run by Owner at 14:12:08.18 on Mon 11/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.718 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: NameServer = 93.188.164.123,93.188.160.203
TCP: {E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} = 93.188.164.123,93.188.160.203
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8wnlslie.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
============= SERVICES / DRIVERS ===============
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-29 16168]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-7-20 5010288]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
=============== Created Last 30 ================
2010-11-08 16:07:32 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-08 16:07:15 -------- d-----w- c:\windows\LastGood.Tmp
2010-11-08 16:06:52 -------- d-----w- c:\program files\Panda Security
2010-11-08 16:02:22 -------- d-----w- c:\docume~1\owner\applic~1\QuickScan
2010-11-08 15:32:24 -------- d-----w- C:\spoolerlogs
2010-10-26 03:48:03 94208 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-10-26 03:48:03 140864 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-10-26 03:47:59 -------- d-----w- c:\program files\Real Alternative
2010-10-26 03:43:41 -------- d-----w- c:\program files\o8o9.com
2010-10-21 00:51:20 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Apple
2010-10-14 14:46:17 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-10-14 05:45:20 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-14 00:34:02 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-14 00:34:00 43520 ------w- c:\windows\system32\dllcache\licmgr10.dll
2010-10-14 00:33:58 66560 ------w- c:\windows\system32\dllcache\mshtmled.dll
2010-10-14 00:28:04 -------- d-----w- c:\program files\Canon
2010-10-13 21:23:38 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-13 21:23:37 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-13 21:22:13 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 21:22:12 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 21:22:12 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 21:13:11 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-11-07 02:50:12 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-11-07 02:50:12 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-11-07 02:50:08 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8671EAEA
user & kernel MBR OK
sectors 312581806 (+217): user != kernel
Registry trace:
called modules: ntoskrnl.exe hal.dll
============= FINISH: 14:14:23.87 ===============
Jack&Jill
2010-11-16, 11:15
Hello blackjaw :),
Sorry for the delay.
If you still need help, please delete the DDS file that you have and download a fresh copy from one of the links below. Please post new DDS logs.
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)
Link 3 (http://www.infospyware.net/sUBs/dds)
Otherwise, this topic will be closed after 3 days.
blackjaw
2010-11-19, 01:45
DDS (Ver_10-11-10.01) - NTFSx86
Run by Owner at 18:39:15.98 on Thu 11/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.618 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
svchost.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
"C:\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe" i
C:\DOCUME~1\Owner\LOCALS~1\Temp\dwm.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:50370
mWinlogon: SfcDisable=-99 (0xffffff9d)
uWinlogon: Shell=explorer.exe,c:\documents and settings\owner\application data\microsoft\windows\shell.exe
uWindows: Load=c:\docume~1\owner\locals~1\temp\dwm.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [svchost] c:\documents and settings\owner\application data\microsoft\svchost.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: NameServer = 93.188.164.123,93.188.160.203
TCP: {E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} = 93.188.164.123,93.188.160.203
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8wnlslie.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-7-20 5010288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-29 16168]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
=============== Created Last 30 ================
2010-11-17 18:58:58 142848 ----a-w- c:\docume~1\owner\applic~1\microsoft\windows\shell.exe
2010-11-17 18:58:47 127488 ----a-w- c:\docume~1\owner\applic~1\microsoft\svchost.exe
2010-11-17 18:58:44 124416 ----a-w- c:\program files\mozilla firefox\mstsc.exe
2010-11-16 18:46:47 -------- d-----w- c:\program files\XviD
2010-11-16 18:46:27 -------- d-----w- c:\program files\AviSynth 2.5
2010-11-16 18:46:00 -------- d-----w- c:\program files\AutoGK
2010-11-08 16:07:32 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-08 16:06:52 -------- d-----w- c:\program files\Panda Security
2010-11-08 16:02:22 -------- d-----w- c:\docume~1\owner\applic~1\QuickScan
2010-11-08 15:32:24 -------- d-----w- C:\spoolerlogs
2010-10-26 03:48:03 94208 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-10-26 03:48:03 140864 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-10-26 03:47:59 -------- d-----w- c:\program files\Real Alternative
2010-10-26 03:43:41 -------- d-----w- c:\program files\o8o9.com
2010-10-21 00:51:20 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Apple
==================== Find3M ====================
2010-11-07 02:50:12 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-11-07 02:50:12 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-11-07 02:50:08 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8671BEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85898872; SUB DWORD [EBP-0x4], 0x8589812e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x867CDAB8]
3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005a[0x86785470]
5 ACPI[0xF77E5620] -> nt!IofCallDriver[0x804E37D5] -> [0x86792D98]
[0x866D27C0] -> IRP_MJ_CREATE -> 0x8671BEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8671BAEA
user & kernel MBR OK
sectors 312581806 (+243): user != kernel
Warning: possible TDL3 rootkit infection !
============= FINISH: 18:41:38.72 ===============
Thank you.
Jack&Jill
2010-11-19, 18:08
Hello blackjaw :),
Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.
Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.
--------------------
Is this a business or corporate machine? I see quite a few programs mostly seen on such computers.
--------------------
Check for additional security risks
Please download CKScanner© by askey127 and save to your desktop. Click here. (http://downloads.malwareremoval.com/CKScanner.exe)
Double click on CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
Post the contents of ckfiles.txt in your reply, it is located on your desktop.
--------------------
Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.
Please download GMER and save it to your desktop. Click here. (http://www.gmer.net/download.php)
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
In the right panel, you will see several boxes that have been checked (ticked).
Uncheck IAT/EAT
Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
Uncheck Show All (don't miss this one)
Then click the Scan button and wait for it to finish.
Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
Enable back your security softwares as soon as you completed the GMER steps.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
If you are having problems running this version of GMER, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.
--------------------
Please post back:
1. the answer to my question about the computer
2. CKScanner log
3. GMER log
blackjaw
2010-11-19, 20:09
This would be a personal computer, I do however use it for some work I do from home.
CKScanner:
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\owner\favorites\5 real life soldiers who make rambo look like a pussy cracked.com.url
c:\documents and settings\owner\favorites\various\epcgaming - cracked servers database.url
c:\documents and settings\owner\favorites\warze\astalavista - underground crack and serial search.url
c:\documents and settings\owner\favorites\warze\gamecopyworld - game cracks.url
c:\documents and settings\owner\my documents\downloads\admuncher v 4.72.0.30400 inc crack rezman1984.7z
c:\documents and settings\owner\my documents\downloads\corel painter 11 sp1\keygen.exe
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\a gladrag_manhunt presentation.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\replay media catcher 3.rar
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\tracked_by_h33t_com.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\rcatsetup.exe
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\replay media catcher.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\tracked_by_h33t_com.txt
c:\downloads\eskimotube.com - streaming videos of felony vs mark ashley - crack addict #6 - pornstars and centerfolds..flv
c:\downloads\eskimotube.com - streaming videos of gwen summers and nicole sheridan - fast times at deep crack high #2 - pornstars and centerfolds..flv
scanner sequence 3.JD.11
----- EOF -----
Gmer:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-19 13:02:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3160021A rev.3.08
Running: 3uo68yx5.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB00256D0]
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xF77CB314]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6A09000, 0x1B85E6, 0xE8000020]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2092] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104505FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
? C:\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe[2248] number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3752] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8671BAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8671BAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8671BAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-18 8671BAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-20 8671BAEA
Device \FileSystem\Cdfs \Cdfs EF4DC400
Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sectors 312581559 (+247): rootkit-like behavior;
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification; TDL3 <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
Thanks
Jack&Jill
2010-11-21, 06:58
Hello blackjaw :),
This would be a personal computer, I do however use it for some work I do from home. Can you elaborate a bit on this?
--------------------
Cracks / Keygens / Warez / Illegal softwares detected!!!
Your log indicates the presence and usage of one or more of the above. Very likely your computer got infected due to the illegal softwares or the illegitimate websites you visited to get them.
Please read the fourth post of the Forum Rules (http://forums.spybot.info/showthread.php?t=288) .
Note:
We do not support the use of illegal Pirated/Warez/Cracked software.
If seeking help in our Malware removal forum please know that users who have programs obtained by such methods will be asked to remove them, since our help could otherwise be seen as aiding copyright violations. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms. There is a high risk of infection involved in downloading and running crack codes.
If you still want help, please remove the illegal items from your computer, and if you still need the softwares, get legal ones from legitimate sources.
If you advised that the illegal softwares have been removed and I find it otherwise (the tools we use can and will detect them), then I will have no choice but to have this topic closed.
If there are more such new findings after this, the topic will also be closed.
Please remove/uninstall the following before we continue:
Corel Painter 11
Corel Painter 11 - ICA
Corel Painter 11 - IPM
Replay Media Catcher 3.02
c:\documents and settings\owner\favorites\various\epcgaming - cracked servers database.url
c:\documents and settings\owner\favorites\warze\astalavista - underground crack and serial search.url
c:\documents and settings\owner\favorites\warze\gamecopyworld - game cracks.url
c:\documents and settings\owner\my documents\downloads\admuncher v 4.72.0.30400 inc crack rezman1984.7z
c:\documents and settings\owner\my documents\downloads\corel painter 11 sp1\keygen.exe
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\a gladrag_manhunt presentation.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\replay media catcher 3.rar
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\tracked_by_h33t_com.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\rcatsetup.exe
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\replay media catcher.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\tracked_by_h33t_com.txt
You should also delete these and stay away from such sites because they are usually used by malware authors to spread their wares:
c:\downloads\eskimotube.com - streaming videos of felony vs mark ashley - crack addict #6 - pornstars and centerfolds..flv
c:\downloads\eskimotube.com - streaming videos of gwen summers and nicole sheridan - fast times at deep crack high #2 - pornstars and centerfolds..flv
Please post new CKScanner log and DDS log (Attach.txt only).
--------------------
Please post back:
1. elaboration on your computer usage
2. new CKScanner log
3. new DDS log (Attach.txt only)
blackjaw
2010-11-21, 08:07
So to elaborate a bit I use the computer for writing, personally I have 2 books in the works and I take a lot of work home with me, e-mail and watching the markets. My son however must be using it for something else entirely. It seems this problem was a good thing in a way.
Is there anything else on the computer that's illegal? I don't really know what I'm looking for but this has got to stop.
I'm going to be out of town starting tomorrow night for a week for thanksgiving. I'll still have web access but not to this computer. Will that be a problem to hold off until I'm back in town?
I really appreciate all the help... But my son's not going to.
CKScanner
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\owner\favorites\5 real life soldiers who make rambo look like a pussy cracked.com.url
scanner sequence 3.AP.11
----- EOF -----
DDS
DDS (Ver_10-11-10.01) - NTFSx86
Run by Owner at 0:31:00.43 on Sun 11/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.570 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskswitch.exe
"C:\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe"
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\DOCUME~1\Owner\LOCALS~1\Temp\dwm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:50370
mWinlogon: SfcDisable=-99 (0xffffff9d)
uWinlogon: Shell=explorer.exe,c:\documents and settings\owner\application data\microsoft\windows\shell.exe
uWindows: Load=c:\docume~1\owner\locals~1\temp\dwm.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [svchost] c:\documents and settings\owner\application data\microsoft\svchost.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: NameServer = 93.188.164.123,93.188.160.203
TCP: {E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} = 93.188.164.123,93.188.160.203
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8wnlslie.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-7-20 5010288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-29 16168]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
=============== Created Last 30 ================
2010-11-17 18:58:58 139264 ----a-w- c:\docume~1\owner\applic~1\microsoft\windows\shell.exe
2010-11-17 18:58:47 121344 ----a-w- c:\docume~1\owner\applic~1\microsoft\svchost.exe
2010-11-17 18:58:44 124416 ----a-w- c:\program files\mozilla firefox\mstsc.exe
2010-11-16 18:46:47 -------- d-----w- c:\program files\XviD
2010-11-16 18:46:27 -------- d-----w- c:\program files\AviSynth 2.5
2010-11-16 18:46:00 -------- d-----w- c:\program files\AutoGK
2010-11-08 16:07:32 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-08 16:06:52 -------- d-----w- c:\program files\Panda Security
2010-11-08 16:02:22 -------- d-----w- c:\docume~1\owner\applic~1\QuickScan
2010-11-08 15:32:24 -------- d-----w- C:\spoolerlogs
2010-10-26 03:48:03 94208 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-10-26 03:48:03 140864 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-10-26 03:47:59 -------- d-----w- c:\program files\Real Alternative
2010-10-26 03:43:41 -------- d-----w- c:\program files\o8o9.com
==================== Find3M ====================
2010-11-07 02:50:12 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-11-07 02:50:12 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-11-07 02:50:08 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8671BEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85898872; SUB DWORD [EBP-0x4], 0x8589812e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x867CDAB8]
3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005a[0x86785470]
5 ACPI[0xF77E5620] -> nt!IofCallDriver[0x804E37D5] -> [0x86792D98]
[0x867CFF38] -> IRP_MJ_CREATE -> 0x8671BEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8671BAEA
user & kernel MBR OK
sectors 312581806 (+249): user != kernel
Warning: possible TDL3 rootkit infection !
============= FINISH: 0:33:14.67 ===============
Jack&Jill
2010-11-21, 12:03
Hello blackjaw :),
Thank you for the clarification and removal of the illegal stuffs.
I'm going to be out of town starting tomorrow night for a week for thanksgiving. I'll still have web access but not to this computer. Will that be a problem to hold off until I'm back in town? No issue as long as I am informed. Thanks.
--------------------
Please download ComboFix© by sUBs from one of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/sUBs/ComboFix.exe)
Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.
Install Recovery Console and run ComboFix
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click on ComboFix.exe and follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.
A detailed step by step tutorial to run ComboFix can be found here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) if you need help.
--------------------
Please post back:
1. the ComboFix log
blackjaw
2010-11-22, 03:54
Hi
I'm leaving tonight an will be back on Saturday the 27th. I'll reply the same day I'm back.
I wasn't able to run combofix.exe at first so I renamed the file and it ran fine. So far I can use my browsers normally again. The computers running better/faster as well. But don't get the wrong idea I'll keep checking the topic once I'm back in town.
big thanks an happy thanksgiving Jack&Jill you've done me great service.
ComboFix
ComboFix 10-11-21.01 - Owner 11/21/2010 20:22:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.756 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\gmbox.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\Microsoft\stor.cfg
c:\documents and settings\Owner\Application Data\Microsoft\svchost.exe
c:\documents and settings\Owner\Application Data\Microsoft\Windows\shell.exe
C:\readme.txt
c:\windows\settings.reg
c:\windows\system32\Data
Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
.
2010-11-17 18:58 . 2010-11-17 18:58 124416 ----a-w- c:\program files\Mozilla Firefox\mstsc.exe
2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\XviD
2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\AviSynth 2.5
2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\Gabest
2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\AutoGK
2010-11-08 19:08 . 2010-11-08 19:08 -------- d-----w- c:\program files\ERUNT
2010-11-08 16:07 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-08 16:06 . 2010-11-08 16:06 -------- d-----w- c:\program files\Panda Security
2010-11-08 16:02 . 2010-11-08 16:02 -------- d-----w- c:\documents and settings\Owner\Application Data\QuickScan
2010-11-08 15:32 . 2010-11-08 15:32 -------- d-----w- C:\spoolerlogs
2010-10-27 12:02 . 2010-10-27 12:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-10-26 03:48 . 2010-10-26 03:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-10-26 03:48 . 2010-02-15 18:00 94208 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-10-26 03:48 . 2010-02-15 18:00 140864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2010-10-26 03:47 . 2010-10-26 03:48 -------- d-----w- c:\program files\Real Alternative
2010-10-26 03:43 . 2010-10-26 03:43 -------- d-----w- c:\program files\o8o9.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 02:50 . 2010-02-22 06:38 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-11-07 02:50 . 2010-02-22 06:38 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-11-07 02:50 . 2010-02-19 06:30 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
2010-09-18 16:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57 . 2009-10-19 08:27 919552 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57 . 2009-10-19 08:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:57 . 2009-10-19 08:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2009-10-19 08:27 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01 . 2009-10-19 08:27 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:37 . 2009-10-19 08:27 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-19 08:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
------- Sigcheck -------
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
[-] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys
[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2009-10-19 . B5B1080D35974C0E718D64280761BCD5 . 182912 . . [5.1.2600.5588] . . c:\windows\system32\drivers\ndis.sys
[-] 2009-03-23 . AE8CAD8F28DB13B515A68510A539B0B8 . 576512 . . [5.1.2600.5782] . . c:\windows\system32\drivers\ntfs.sys
[-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[-] 2009-10-19 . 7E39A3EDC13B076E70FDB9A6F6D7A4B4 . 78336 . . [5.1.2600.5574] . . c:\windows\system32\browser.dll
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\qmgr.dll
[-] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\bits\qmgr.dll
[-] 2009-10-19 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-10-19 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-10-19 . 53A8857723277B1D6D5EE60A9F85B117 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2009-10-19 08:25 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2009-10-19 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2009-10-19 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[-] 2009-10-19 . 06B8485FB1DA9A552B10AB978CD1AC85 . 343040 . . [7.0.2600.5701] . . c:\windows\system32\msvcrt.dll
[-] 2009-10-19 . A4C4A54FD7E31179CB5BDF7896DF3DF7 . 343040 . . [7.0.2600.5701] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5701_x-ww_40d12c25\msvcrt.dll
[-] 2009-10-19 . 290C1A30DEFC723BBE10910AC2D6F6D0 . 245248 . . [5.1.2600.5649] . . c:\windows\system32\mswsock.dll
[-] 2009-10-19 . DAB13813B25B3D009B2AC1194CF5D0A2 . 407552 . . [5.1.2600.5755] . . c:\windows\system32\netlogon.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2009-10-19 . 67E38B4A549833E02D4D1617B5DBC318 . 14848 . . [5.1.2600.5689] . . c:\windows\system32\svchost.exe
[-] 2009-10-19 . E2B32B10ACC5D97623275AAFB67E5F03 . 249856 . . [5.1.2600.5654] . . c:\windows\system32\tapisrv.dll
[-] 2009-10-19 . 3DE22354C3609B3C3E5DC2C19C5E0693 . 578560 . . [5.1.2600.5577] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
[-] 2009-10-19 . 2BB75B7F548D82A099125D0C5971DE7D . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2009-10-19 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2009-10-19 . 5128852A18AE46C387F87BF27DA4C9DD . 296960 . . [5.1.2600.5815] . . c:\windows\system32\termsrv.dll
[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
[-] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
[-] 2008-04-13 20:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2009-10-19 08:26 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
[-] 2009-10-19 . D2CF91B2C710E9F666E60AFBF87643EE . 1689088 . . [5.03.2600.5601] . . c:\windows\system32\d3d9.dll
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
[-] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"P17Helper"="P17.dll" [2003-11-17 60416]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-01-17 19:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/8/2010 11:07 AM 28552]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/20/2010 11:24 PM 5010288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [3/29/2010 9:15 PM 16168]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 3:29 AM 9472]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2010-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{41B44F24-BED9-4AE2-93D3-B731A5389B85}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8wnlslie.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-CTFMON.EXE - c:\windows\system32\CTFMON.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-21 20:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-21 20:30:08
ComboFix-quarantined-files.txt 2010-11-22 01:29
Pre-Run: 5,315,035,136 bytes free
Post-Run: 8,487,870,464 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 39DA51E8EBAACDA1DB1025858416D59E
Jack&Jill
2010-11-22, 15:32
Hello blackjaw :),
Happy Thanksgiving! Enjoy yourself while I check on the long log :police:.
Jack&Jill
2010-11-28, 15:32
Hello blackjaw :),
Hope you had a great time.
Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
Click here (http://www.eset.com/onlinescan/) to go to ESET Online Scanner page.
Click on ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats and then check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.
If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.
--------------------
Please download VEW© by Vino Rosso and save it to your desktop. Click here. (http://images.malwareremoval.com/vino/VEW.exe)
Double click on VEW.exe to start the program.
In the Select log to query section, check (tick):
Application
System
In the Select type to list section, check:
Critical (not XP)
Error
Information
Warning
In the Number or date of events section, check:
Number of events... then enter 30 in the entry box beside it.
Press the Run button.
A Notepad report will open when done, please post the contents of this report. It is located at %systemdrive%\VEW.txt, usually C:\VEW.txt.
--------------------
Please post back:
1. the ESET online scan result
2. VEW log
blackjaw
2010-11-29, 17:03
Thanks, had a great time. Ate a ton of home cooked food and we're still working on the leftovers. Good thing belts are adjustable. :euro:
ESET
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=de0029f932ebfb4dbd13d95d01e61047
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-29 08:19:41
# local_time=2010-11-29 03:19:41 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=crash
# scanned=158910
# found=22
# cleaned=0
# scan_time=4823
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8wnlslie.default\prefs.js.BAK Win32/Agent.RQD.Gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\12\601d500c-56d784fd multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\4912bf0e-4a724173 Java/TrojanDownloader.Agent.NBE trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\26\3a5b5f9a-7b9e21e9 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\3f98029c-5d7eb572 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\5b1b8d1c-4620b148 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\29\20db519d-7477de76 probably a variant of Win32/Agent.FXHNPDJ trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\30\3a25b1e-2f5b7034 probably a variant of Win32/Agent.FXHNPDJ trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\38\4e3ff526-42dab121 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\4\6fecf784-6cf90f07 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\47\4c4f29af-5a5c84ab multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\49\739d2831-749b2ef1 probably a variant of Win32/Agent.FXHNPDJ trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\faa5135-5de90216 OSX/Exploit.Smid.B trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\8\22fa888-6239b807 a variant of Java/TrojanDownloader.OpenStream.NAU trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\My Documents\Downloads\GNOMON WORKSHOP The Techniques of Dusso vol.1\gnomon.iso Win32/Adware.Gator.Trickler.F application 00000000000000000000000000000000 I
C:\Program Files\Mozilla Firefox\mstsc.exe a variant of Win32/Kryptik.IGI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe.vir a variant of Win32/Kryptik.IIW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe.vir a variant of Win32/Kryptik.IIW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ftdisk.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{6E4B4DA2-68FE-41EC-A5F0-AFFF0463E957}\RP10\A0090449.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{6E4B4DA2-68FE-41EC-A5F0-AFFF0463E957}\RP10\A0090506.exe a variant of Win32/Kryptik.IIW trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{6E4B4DA2-68FE-41EC-A5F0-AFFF0463E957}\RP10\A0090507.exe a variant of Win32/Kryptik.IIW trojan 00000000000000000000000000000000 I
VEW.exe
Vino's Event Viewer v01c run on Windows XP in English
Report run at 29/11/2010 9:16:43 AM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 29/11/2010 1:54:03 AM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Log: 'Application' Date/Time: 29/11/2010 1:54:03 AM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Log: 'Application' Date/Time: 21/11/2010 8:03:09 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Log: 'Application' Date/Time: 21/11/2010 8:03:09 PM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Log: 'Application' Date/Time: 21/11/2010 8:03:09 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Log: 'Application' Date/Time: 21/11/2010 8:03:09 PM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Log: 'Application' Date/Time: 21/11/2010 8:03:09 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server returned an invalid or unrecognized response
Log: 'Application' Date/Time: 21/11/2010 8:03:09 PM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Log: 'Application' Date/Time: 21/11/2010 8:03:09 PM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Log: 'Application' Date/Time: 21/11/2010 12:15:57 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Corel Painter 11 - ICA -- Error 1706.No valid source could be found for product Corel Painter 11 - ICA. The Windows Installer cannot continue.
Log: 'Application' Date/Time: 19/11/2010 11:58:31 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application shell.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
Log: 'Application' Date/Time: 17/11/2010 8:02:32 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application softwareupdate.exe, version 2.1.1.116, faulting module msxml3.dll, version 8.100.1052.0, fault address 0x0002a65a.
Log: 'Application' Date/Time: 16/11/2010 12:16:13 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x001a63cb.
Log: 'Application' Date/Time: 15/11/2010 11:14:35 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x001a63cb.
Log: 'Application' Date/Time: 15/11/2010 11:00:02 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x001a63cb.
Log: 'Application' Date/Time: 15/11/2010 10:49:19 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x001a63cb.
Log: 'Application' Date/Time: 08/11/2010 5:05:58 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application spoolsv.exe, version 5.1.2600.6024, faulting module unknown, version 0.0.0.0, fault address 0x001a63cb.
Log: 'Application' Date/Time: 08/11/2010 1:00:24 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Log: 'Application' Date/Time: 08/11/2010 1:00:24 PM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Log: 'Application' Date/Time: 08/11/2010 1:00:24 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 29/11/2010 1:54:03 AM
Type: information Category: 0
Event: 2 Source: crypt32
Successful auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
Log: 'Application' Date/Time: 29/11/2010 1:54:03 AM
Type: information Category: 0
Event: 7 Source: crypt32
Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
Log: 'Application' Date/Time: 28/11/2010 11:11:34 AM
Type: information Category: 0
Event: 1000 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data contains the new index values assigned to this service.
Log: 'Application' Date/Time: 28/11/2010 11:11:34 AM
Type: information Category: 0
Event: 1001 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Log: 'Application' Date/Time: 28/11/2010 11:07:31 AM
Type: information Category: 0
Event: 1001 Source: UPHClean
User profile hive cleanup service version 1.6.30.0 started successfully.
Log: 'Application' Date/Time: 28/11/2010 11:07:30 AM
Type: information Category: 0
Event: 105 Source: ATI Smart
The service was started.
Log: 'Application' Date/Time: 28/11/2010 3:10:58 AM
Type: information Category: 0
Event: 1010 Source: UPHClean
User profile hive cleanup service stopped successfully.
Log: 'Application' Date/Time: 27/11/2010 11:33:30 AM
Type: information Category: 0
Event: 1000 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data contains the new index values assigned to this service.
Log: 'Application' Date/Time: 27/11/2010 11:33:30 AM
Type: information Category: 0
Event: 1001 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Log: 'Application' Date/Time: 27/11/2010 11:29:27 AM
Type: information Category: 0
Event: 1001 Source: UPHClean
User profile hive cleanup service version 1.6.30.0 started successfully.
Log: 'Application' Date/Time: 27/11/2010 11:29:26 AM
Type: information Category: 0
Event: 105 Source: ATI Smart
The service was started.
Log: 'Application' Date/Time: 21/11/2010 10:13:22 PM
Type: information Category: 0
Event: 1010 Source: UPHClean
User profile hive cleanup service stopped successfully.
Log: 'Application' Date/Time: 21/11/2010 8:38:29 PM
Type: information Category: 0
Event: 1000 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data contains the new index values assigned to this service.
Log: 'Application' Date/Time: 21/11/2010 8:38:29 PM
Type: information Category: 0
Event: 1001 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Log: 'Application' Date/Time: 21/11/2010 8:34:25 PM
Type: information Category: 0
Event: 1001 Source: UPHClean
User profile hive cleanup service version 1.6.30.0 started successfully.
Log: 'Application' Date/Time: 21/11/2010 8:34:23 PM
Type: information Category: 0
Event: 105 Source: ATI Smart
The service was started.
Log: 'Application' Date/Time: 21/11/2010 8:33:11 PM
Type: information Category: 0
Event: 1010 Source: UPHClean
User profile hive cleanup service stopped successfully.
Log: 'Application' Date/Time: 21/11/2010 8:31:22 PM
Type: information Category: 0
Event: 1000 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data contains the new index values assigned to this service.
Log: 'Application' Date/Time: 21/11/2010 8:31:22 PM
Type: information Category: 0
Event: 1001 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Log: 'Application' Date/Time: 21/11/2010 8:25:36 PM
Type: information Category: 0
Event: 1000 Source: LoadPerf
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data contains the new index values assigned to this service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 13/11/2010 3:58:56 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user ANONYMOUS\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Log: 'Application' Date/Time: 10/10/2010 1:34:36 AM
Type: warning Category: 1
Event: 1020 Source: ASP.NET 2.0.50727.0
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
Log: 'Application' Date/Time: 13/08/2010 12:21:54 PM
Type: warning Category: 1
Event: 1020 Source: ASP.NET 2.0.50727.0
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
Log: 'Application' Date/Time: 26/06/2010 4:01:10 PM
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.serviceModel.activation already exists in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.
Log: 'Application' Date/Time: 26/06/2010 4:01:10 PM
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.runtime.serialization already exists in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.
Log: 'Application' Date/Time: 26/06/2010 4:01:10 PM
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.serviceModel already exists in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.
Log: 'Application' Date/Time: 26/06/2010 4:01:08 PM
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Could not detect IIS installation or IIS is disabled, skipping the Web Host Script Mappings component since it depends upon IIS to function properly. If you believe this message is an error, check your IIS installation to make sure it is installed properly.
Log: 'Application' Date/Time: 26/06/2010 4:00:29 PM
Type: warning Category: 1
Event: 1020 Source: ASP.NET 2.0.50727.0
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
Log: 'System' Date/Time: 27/11/2010 11:30:51 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
Log: 'System' Date/Time: 27/11/2010 11:29:33 AM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
Log: 'System' Date/Time: 27/11/2010 11:29:33 AM
Type: error Category: 0
Event: 17 Source: W32Time
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Log: 'System' Date/Time: 21/11/2010 9:42:59 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:37:49 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:35:56 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:30:46 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:25:36 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:23:43 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:18:33 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:13:23 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:06:21 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 9:01:11 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 8:59:17 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 8:54:07 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 8:48:57 PM
Type: error Category: 0
Event: 8009 Source: BROWSER
The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is MC-ACA3341374E7.
Log: 'System' Date/Time: 21/11/2010 8:48:57 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 8:47:05 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
Log: 'System' Date/Time: 21/11/2010 8:41:55 PM
Type: error Category: 0
Event: 4321 Source: NetBT
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.8. The machine with the IP address 192.168.1.10 did not allow the name to be claimed by this machine.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 29/11/2010 8:22:58 AM
Type: information Category: 0
Event: 4201 Source: Tcpip
The system detected that network adapter \DEVICE\TCPIP_{E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} was connected to the network, and has initiated normal operation over the network adapter.
Log: 'System' Date/Time: 28/11/2010 11:36:04 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the stopped state.
Log: 'System' Date/Time: 28/11/2010 11:35:57 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the running state.
Log: 'System' Date/Time: 28/11/2010 11:35:57 AM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The IMAPI CD-Burning COM Service service was successfully sent a start control.
Log: 'System' Date/Time: 28/11/2010 11:22:59 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the stopped state.
Log: 'System' Date/Time: 28/11/2010 11:22:53 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the running state.
Log: 'System' Date/Time: 28/11/2010 11:22:53 AM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The IMAPI CD-Burning COM Service service was successfully sent a start control.
Log: 'System' Date/Time: 28/11/2010 11:22:40 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the stopped state.
Log: 'System' Date/Time: 28/11/2010 11:22:34 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the running state.
Log: 'System' Date/Time: 28/11/2010 11:22:34 AM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The IMAPI CD-Burning COM Service service was successfully sent a start control.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the stopped state.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The HTTP SSL service entered the running state.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The HTTP SSL service was successfully sent a start control.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The SSDP Discovery Service service entered the running state.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The SSDP Discovery Service service was successfully sent a start control.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Computer Browser service entered the stopped state.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Remote Access Connection Manager service entered the running state.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Application Layer Gateway Service service entered the running state.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The Application Layer Gateway Service service was successfully sent a start control.
Log: 'System' Date/Time: 28/11/2010 11:08:57 AM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the running state.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 29/11/2010 12:47:10 AM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
Log: 'System' Date/Time: 21/11/2010 12:40:05 AM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
Log: 'System' Date/Time: 17/11/2010 12:02:26 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
Log: 'System' Date/Time: 16/11/2010 12:17:11 AM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
Log: 'System' Date/Time: 14/11/2010 1:03:53 AM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
Log: 'System' Date/Time: 11/11/2010 11:24:36 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
Log: 'System' Date/Time: 09/11/2010 11:23:45 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
Jack&Jill
2010-11-30, 04:19
Hello blackjaw :),
Good thing belts are adjustable. Creativity.
Do you have the Windows CD? We may need to fall back on it, depending on what we find next.
--------------------
Please download SystemLook© by jpshortstuff from one of the links below and save it to your desktop.
Link 1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Link 2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double click on SystemLook.exe to run it.
Copy and paste the following text into the main textfield:
:dir
c:\program files\o8o9.com /s
:file
c:\windows\system32\AUDIOGENIE2.DLL.vir
:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler /s
Click the Look button to start the scan. This might take a while.
When finished, a Notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your desktop as SystemLook.txt.
--------------------
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.
Run ComboFix script
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Open Notepad. Copy and paste the following text into it:
File::
C:\Program Files\Mozilla Firefox\mstsc.exe
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8wnlslie.default\prefs.js.BAK
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\12\601d500c-56d784fd
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\4912bf0e-4a724173
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\26\3a5b5f9a-7b9e21e9
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\3f98029c-5d7eb572
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\5b1b8d1c-4620b148
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\29\20db519d-7477de76
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\30\3a25b1e-2f5b7034
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\38\4e3ff526-42dab121
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\4\6fecf784-6cf90f07
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\47\4c4f29af-5a5c84ab
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\49\739d2831-749b2ef1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\faa5135-5de90216
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\8\22fa888-6239b807
C:\Documents and Settings\Owner\My Documents\Downloads\GNOMON WORKSHOP The Techniques of Dusso vol.1\gnomon.iso
Mia::
c:\windows\System32\wscntfy.exe
c:\windows\System32\ctfmon.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
Firefox::
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:50370
Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update, please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.
--------------------
The remainder of the online scan's findings include backups that were created during the course of this fix, and items located in C:\System Volume Information\ where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore.
Nevertheless, we shall be taking care of both, during the final cleanup.
--------------------
I do not see any Antivirus (AV) installed on your machine. AV is a very critical part of your system to keep the it safe and clean. Without it, a computer can easily get infected. Please download and install an AV from one of the links below:
Avast (http://www.avast.com/eng/download-avast-home.html)
Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914)
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
Please keep only one AV installed.
--------------------
Please post back:
1. the answer to my question about Windows CD
2. SystemLook log
3. ComboFix log
4. new DDS log
blackjaw
2010-11-30, 08:56
I'm not entirely sure I'll talk to my son about it he set this computer up, and I'm not sure where he put the disks. I'll get back to you on that in the morning. If we cant find it I'm sure I can buy a new one I hear windows 7 is pretty good
I can't seem to run DDS anymore it just pops up a black box the immediately closes, I even tried deleting it and downloading it again. :confused:
SystemLook
SystemLook 04.09.10 by jpshortstuff
Log created at 01:02 on 30/11/2010 by Owner
Administrator - Elevation successful
========== dir ==========
c:\program files\o8o9.com - Parameters: "/s"
---Files---
None found.
c:\program files\o8o9.com\Free DV-AVI 2 TS Converter d------ [03:43 26/10/2010]
avcodec.dll --a---- 7276032 bytes [03:43 26/10/2010] [13:39 13/10/2009]
avdevice.dll --a---- 10752 bytes [03:43 26/10/2010] [13:39 13/10/2009]
avfilter.dll --a---- 14336 bytes [03:43 26/10/2010] [13:39 13/10/2009]
avformat.dll --a---- 666624 bytes [03:43 26/10/2010] [13:39 13/10/2009]
avutil.dll --a---- 57344 bytes [03:43 26/10/2010] [13:39 13/10/2009]
convert.exe --a---- 84219 bytes [03:43 26/10/2010] [13:39 13/10/2009]
FreeDV-AVI2TSConverter.exe --a---- 172032 bytes [03:43 26/10/2010] [09:21 01/01/2010]
GetChar2.dll --a---- 53248 bytes [03:43 26/10/2010] [09:21 01/01/2010]
pthreadGC2.dll --a---- 89273 bytes [03:43 26/10/2010] [13:39 13/10/2009]
SCUtil.dll --a---- 57344 bytes [03:43 26/10/2010] [09:21 01/01/2010]
SDL.dll --a---- 1760356 bytes [03:43 26/10/2010] [13:39 13/10/2009]
swscale.dll --a---- 158208 bytes [03:43 26/10/2010] [13:39 13/10/2009]
unins000.dat --a---- 5725 bytes [03:43 26/10/2010] [03:43 26/10/2010]
unins000.exe --a---- 695642 bytes [03:43 26/10/2010] [03:43 26/10/2010]
xvidcore.dll --a---- 742220 bytes [03:43 26/10/2010] [13:39 13/10/2009]
c:\program files\o8o9.com\Free DV-AVI 2 TS Converter\config d------ [03:43 26/10/2010]
config.ini --a---- 107 bytes [03:43 26/10/2010] [09:21 01/01/2010]
pfile.cf --a---- 3629 bytes [03:43 26/10/2010] [09:21 01/01/2010]
ui.xml --a---- 2415 bytes [03:43 26/10/2010] [17:15 11/11/2009]
c:\program files\o8o9.com\Free DV-AVI 2 TS Converter\en d------ [03:43 26/10/2010]
SCLanguage.dll --a---- 10752 bytes [03:43 26/10/2010] [09:21 01/01/2010]
========== file ==========
c:\windows\system32\AUDIOGENIE2.DLL.vir - File found and opened.
MD5: FF83CB462BA421228DF5E520E511BD7B
Created at 06:30 on 19/02/2010
Modified at 02:50 on 07/11/2010
Size: 323584 bytes
Attributes: --a----
FileDescription: AudioGenie2 DLL Module
FileVersion: 1, 0, 4, 0
ProductVersion: 1, 0, 4, 0
OriginalFilename: AudioGenie2.dll
InternalName: AudioGenie2.dll
ProductName: audiogenie Module
CompanyName: Stefan Toengi
LegalCopyright: Copyright 2007, 2008 by Stefan Toengi
Comments: AudioGenie DLL
- Unable to find/read file.
========== reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc]
"DependOnService"="RpcSs"
"Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
"DisplayName"="CryptSvc"
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Start"= 0x0000000002 (2)
"Type"= 0x0000000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Parameters]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"
"ServiceMain"="CryptServiceMain"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Security]
"Security"=00 00 0e 00 01 (REG_BINARY)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Enum]
"0"="Root\LEGACY_CRYPTSVC\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
"DisplayName"="Secondary Logon"
"ErrorControl"= 0x0000000000 (0)
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
"Objectname"="LocalSystem"
"Start"= 0x0000000002 (2)
"Type"= 0x0000000120 (288)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Parameters]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"
"ServiceMain"="SvcEntry_Seclogon"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Security]
"Security"=01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 9d 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Enum]
"0"="Root\LEGACY_SECLOGON\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler]
"DependOnService"="RPCSS"
"Description"="Loads files to memory for later printing."
"DisplayName"="Print Spooler"
"ErrorControl"= 0x0000000001 (1)
"Group"="SpoolerGroup"
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"
"ObjectName"="LocalSystem"
"Start"= 0x0000000002 (2)
"Type"= 0x0000000110 (272)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Parameters]
(No values found)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Performance]
"Close"="PerfClose"
"Collect"="PerfCollect"
"Collect Timeout"= 0x00000007d0 (2000)
"Library"="winspool.drv"
"Object List"="1450"
"Open"="PerfOpen"
"Open Timeout"= 0x0000000fa0 (4000)
"WbemAdapFileSignature"=bd 83 ab a6 1e 8a cc c8 d9 ff b8 69 f2 94 18 ce 00 (REG_BINARY)
"WbemAdapFileTime"=00 29 52 e3 7a 79 c4 01 (REG_BINARY)
"WbemAdapFileSize"= 0x0000023c00 (146432)
"WbemAdapStatus"= 0x0000000000 (0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Security]
"Security"=01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 9d 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Enum]
"0"="Root\LEGACY_SPOOLER\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)
-= EOF =-
ComboFix
ComboFix 10-11-29.04 - Owner 11/30/2010 1:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.768 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\gmbox.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
FILE ::
"c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8wnlslie.default\prefs.js.BAK"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\12\601d500c-56d784fd"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\4912bf0e-4a724173"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\26\3a5b5f9a-7b9e21e9"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\3f98029c-5d7eb572"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\5b1b8d1c-4620b148"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\29\20db519d-7477de76"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\30\3a25b1e-2f5b7034"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\38\4e3ff526-42dab121"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\4\6fecf784-6cf90f07"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\47\4c4f29af-5a5c84ab"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\49\739d2831-749b2ef1"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\faa5135-5de90216"
"c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\8\22fa888-6239b807"
"c:\documents and settings\Owner\My Documents\Downloads\GNOMON WORKSHOP The Techniques of Dusso vol.1\gnomon.iso"
"c:\program files\Mozilla Firefox\mstsc.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8wnlslie.default\prefs.js.BAK
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\12\601d500c-56d784fd
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\4912bf0e-4a724173
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\26\3a5b5f9a-7b9e21e9
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\3f98029c-5d7eb572
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\5b1b8d1c-4620b148
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\29\20db519d-7477de76
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\30\3a25b1e-2f5b7034
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\38\4e3ff526-42dab121
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\4\6fecf784-6cf90f07
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\47\4c4f29af-5a5c84ab
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\49\739d2831-749b2ef1
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\faa5135-5de90216
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\8\22fa888-6239b807
c:\documents and settings\Owner\My Documents\Downloads\GNOMON WORKSHOP The Techniques of Dusso vol.1\gnomon.iso
c:\program files\Mozilla Firefox\mstsc.exe
c:\windows\System32\wscntfy.exe . . . is missing!!
c:\windows\System32\ctfmon.exe . . . is missing!!
.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))
.
2010-11-29 06:54 . 2010-11-29 06:54 -------- d-----w- c:\program files\ESET
2010-11-22 01:34 . 2010-11-22 01:34 -------- d-----w- c:\windows\system32\wbem\snmp
2010-11-22 01:34 . 2010-11-22 01:34 -------- d-----w- c:\windows\system32\oobe
2010-11-22 01:34 . 2010-11-22 01:34 -------- d-----w- c:\windows\system32\xircom
2010-11-22 01:34 . 2010-11-22 01:34 -------- d-----w- c:\program files\microsoft frontpage
2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\XviD
2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\AviSynth 2.5
2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\Gabest
2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\AutoGK
2010-11-08 19:08 . 2010-11-08 19:08 -------- d-----w- c:\program files\ERUNT
2010-11-08 16:07 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-08 16:06 . 2010-11-08 16:06 -------- d-----w- c:\program files\Panda Security
2010-11-08 16:02 . 2010-11-08 16:02 -------- d-----w- c:\documents and settings\Owner\Application Data\QuickScan
2010-11-08 15:32 . 2010-11-08 15:32 -------- d-----w- C:\spoolerlogs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 02:50 . 2010-02-22 06:38 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-11-07 02:50 . 2010-02-22 06:38 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-11-07 02:50 . 2010-02-19 06:30 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
2010-09-18 16:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57 . 2009-10-19 08:27 919552 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57 . 2009-10-19 08:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:57 . 2009-10-19 08:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
.
------- Sigcheck -------
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
[-] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys
[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2009-10-19 . B5B1080D35974C0E718D64280761BCD5 . 182912 . . [5.1.2600.5588] . . c:\windows\system32\drivers\ndis.sys
[-] 2009-03-23 . AE8CAD8F28DB13B515A68510A539B0B8 . 576512 . . [5.1.2600.5782] . . c:\windows\system32\drivers\ntfs.sys
[-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[-] 2009-10-19 . 7E39A3EDC13B076E70FDB9A6F6D7A4B4 . 78336 . . [5.1.2600.5574] . . c:\windows\system32\browser.dll
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\qmgr.dll
[-] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\bits\qmgr.dll
[-] 2009-10-19 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-10-19 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-10-19 . 53A8857723277B1D6D5EE60A9F85B117 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2009-10-19 08:25 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2009-10-19 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2009-10-19 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[-] 2009-10-19 . 06B8485FB1DA9A552B10AB978CD1AC85 . 343040 . . [7.0.2600.5701] . . c:\windows\system32\msvcrt.dll
[-] 2009-10-19 . A4C4A54FD7E31179CB5BDF7896DF3DF7 . 343040 . . [7.0.2600.5701] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5701_x-ww_40d12c25\msvcrt.dll
[-] 2009-10-19 . 290C1A30DEFC723BBE10910AC2D6F6D0 . 245248 . . [5.1.2600.5649] . . c:\windows\system32\mswsock.dll
[-] 2009-10-19 . DAB13813B25B3D009B2AC1194CF5D0A2 . 407552 . . [5.1.2600.5755] . . c:\windows\system32\netlogon.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2009-10-19 . 67E38B4A549833E02D4D1617B5DBC318 . 14848 . . [5.1.2600.5689] . . c:\windows\system32\svchost.exe
[-] 2009-10-19 . E2B32B10ACC5D97623275AAFB67E5F03 . 249856 . . [5.1.2600.5654] . . c:\windows\system32\tapisrv.dll
[-] 2009-10-19 . 3DE22354C3609B3C3E5DC2C19C5E0693 . 578560 . . [5.1.2600.5577] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
[-] 2009-10-19 . 2BB75B7F548D82A099125D0C5971DE7D . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2009-10-19 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2009-10-19 . 5128852A18AE46C387F87BF27DA4C9DD . 296960 . . [5.1.2600.5815] . . c:\windows\system32\termsrv.dll
[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
[-] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
[-] 2008-04-13 20:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2009-10-19 08:26 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
[-] 2009-10-19 . D2CF91B2C710E9F666E60AFBF87643EE . 1689088 . . [5.03.2600.5601] . . c:\windows\system32\d3d9.dll
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
[-] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-11-22_01.27.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 12:00 . 2010-11-22 01:25 71264 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-11-30 01:20 71264 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-11-30 01:20 441454 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-11-22 01:25 441454 c:\windows\system32\perfh009.dat
+ 2009-10-19 08:30 . 2010-11-28 08:08 35758536 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"P17Helper"="P17.dll" [2003-11-17 60416]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-01-17 19:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/8/2010 11:07 AM 28552]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/20/2010 11:24 PM 5010288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [3/29/2010 9:15 PM 16168]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 3:29 AM 9472]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2010-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-11-30 c:\windows\Tasks\User_Feed_Synchronization-{41B44F24-BED9-4AE2-93D3-B731A5389B85}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8wnlslie.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-30 01:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-30 01:16:50
ComboFix-quarantined-files.txt 2010-11-30 06:16
ComboFix2.txt 2010-11-22 01:30
Pre-Run: 21,001,957,376 bytes free
Post-Run: 21,212,397,568 bytes free
- - End Of File - - E2FF6CE46B46F534BA25A2486CD65F76
Jack&Jill
2010-11-30, 10:29
Hello blackjaw :),
I'm not entirely sure I'll talk to my son about it he set this computer up, and I'm not sure where he put the disks. I'll get back to you on that in the morning. If we cant find it I'm sure I can buy a new one I hear windows 7 is pretty good Find the disk or get a new one, we need it.
I can't seem to run DDS anymore it just pops up a black box the immediately closes, I even tried deleting it and downloading it again. This, and all other signs from the logs, reinforced what I need to inform you next. My apologies for not informing sooner as the situation was not clear to me earlier.
--------------------
Your computer has/had some serious infections with rootkit/backdoor capabilities.
Sorry for the bad news. Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.
If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:
Disconnect from the Internet and any network immediately.
Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
Change all your online passwords from a clean computer.
Take any other steps that you may think is necessary to prevent financial distress due to identity theft.
Due to the backdoor functionality, your computer is compromised and can no longer be fully trusted. Many experts in the security community believe that once tainted with this type of infections, the best course of action would be a reformat and reinstall of the OS. I too strongly recommend you to format your computer.
Here are some read:
How to respond to possible ID theft and Internet fraud (http://www.dslreports.com/faq/10451)
When should I reformat? (http://www.dslreports.com/faq/10063)
Jack&Jill
2010-12-03, 02:08
Hello blackjaw :),
I usually close the topic after 3 days without any reply, and it has already been 2 days since my last post. Do you still need help? Any problems following my instructions? Need more time?
If I do not get any response within the next 24 hours, this topic will be closed.
Jack&Jill
2010-12-05, 10:32
Due to lack of response, this topic is now closed.
If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. How to post a DDS log. (http://forums.spybot.info/showpost.php?p=1150&postcount=2)
If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm) to me or a MOD. A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Everyone else please begin a New Topic.