View Full Version : CLick.GiftLoad Help Please
deathtoworms
2011-04-01, 18:09
Hello,
This one is tough. I've removed stubborn worms, etc in the past, but this one is ridiculously stubborn. It has diabled my windows automatic updates which I can not fix. When I go to update,miscrosoft.com I receive the default windows Unable to Display Page error. I also get hijacked when attempting to follow links, especially when thos links are generated by google. I can see the attempt to go to the correct link, and the redirection kicks in and I end up at some random search-like site.
Before discovering this forum, I tired to fix this myself using AD-Aware, Spybot S&D, Malware-Bytes, HiJackThis,CCLeaner etc. I actually managed to remove the eva.exe worm, but no luck on this one. Thanks in advance, this is terrible!
Below are the relevant logs:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by actr at 11:19:18.21 on Fri 04/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.972 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\V0400Mon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\actr\Desktop\spyware_stuff\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [V0400Mon.exe] c:\windows\V0400Mon.exe
mRun: [Boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
Trusted Zone: cnet.com\download
Trusted Zone: mozilla.com\www
Trusted Zone: mozilla.org\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: itlntfy - itlnfw32.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {38FD2B13-BFF4-451C-B2F1-24A918732021} - c:\windows\system32\msiexec.exe /fu {38FD2B13-BFF4-451C-B2F1-24A918732021} /q
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-31 64512]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-11 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-31 1405384]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-12-20 1814720]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-12-16 6016]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-6 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110330.003\naveng.sys [2011-3-30 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110330.003\navex15.sys [2011-3-30 1360760]
S1 PDIDRV;PDIDRV; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-31 15232]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-12-20 116928]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [2010-1-3 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [2010-1-3 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [2010-1-3 166720]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
.
=============== Created Last 30 ================
.
2011-04-01 11:01:38 -------- d-----w- c:\windows\system32\Adobe
2011-03-31 18:29:46 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-31 17:01:39 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-31 16:50:42 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2D59E2A1-9CCB-4414-9B00-67019E74C6FD}
2011-03-31 02:12:01 -------- d-----w- C:\!KillBox
2011-03-30 17:43:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\nGb06504oLlKb06504
2011-03-30 13:09:13 -------- d-----w- c:\docume~1\actr\applic~1\Malwarebytes
2011-03-30 13:09:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 13:09:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-30 13:09:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 13:08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 12:54:16 -------- d-----w- c:\program files\CCleaner
2011-03-29 19:47:12 215552 ----a-w- c:\windows\system32\itlpfw32.dll
2011-03-29 15:56:29 0 ----a-w- c:\windows\Qrevocayewidu.bin
2011-03-29 15:54:58 -------- d-----w- c:\docume~1\actr\applic~1\OfferBox
2011-03-03 16:08:19 -------- d-----w- c:\program files\AppsPro
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS721010G9SA00 rev.MCZOC10H -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ACB2439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8acb87d0]; MOV EAX, [0x8acb884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ACE7AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007f[0x8ACF7F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8ACFE940]
\Driver\atapi[0x8AD5A030] -> IRP_MJ_CREATE -> 0x8ACB2439
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS721010G9SA00_________________MCZOC10H#5&1ff3378c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ACB227F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:21:22.64 ===============
Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2007-03-02 unins000.exe (51.41.0.0)
2009-12-10 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-03-29 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-03-29 Includes\Malware.sbi (*)
2011-03-29 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-25 Includes\TrojansC-02.sbi (*)
2011-03-29 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-29 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-06-06 Plugins\TCPIPAddress.dll
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
deathtoworms
2011-04-03, 17:36
Thanks so much for your help! Interestingly I had gotten email from my ISP on Friday notifying me that my machine may have been infected with a bot- clearly it was. Enclosed is the combofix log and the DDS log post combofix:
ComboFix 11-03-31.05 - actr 04/03/2011 10:50:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1213 [GMT -4:00]
Running from: c:\documents and settings\actr\Desktop\spyware_stuff\ComboFix.exe
Command switches used :: c:\documents and settings\actr\Desktop\spyware_stuff\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\actr\Application Data\OfferBox
c:\documents and settings\actr\Application Data\OfferBox\config.dat
c:\documents and settings\actr\Application Data\OfferBox\config.xml
c:\windows\system32\AutoRun.inf
c:\windows\system32\itlpfw32.dll
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
.
.
2011-04-03 14:35 . 2011-04-03 14:35 -------- d-----w- C:\32788R22FWJFW
2011-04-01 15:14 . 2011-04-01 15:15 -------- d-----w- c:\program files\ERUNT
2011-04-01 11:01 . 2011-04-01 11:01 -------- d-----w- c:\windows\system32\Adobe
2011-03-31 18:29 . 2011-03-31 06:48 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-31 17:09 . 2011-03-31 17:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-03-31 17:01 . 2011-03-31 06:48 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-31 16:57 . 2011-03-31 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-31 16:50 . 2011-03-31 16:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2D59E2A1-9CCB-4414-9B00-67019E74C6FD}
2011-03-31 02:12 . 2011-03-31 02:13 -------- d-----w- C:\!KillBox
2011-03-30 17:43 . 2011-03-30 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\nGb06504oLlKb06504
2011-03-30 13:09 . 2011-03-30 13:09 -------- d-----w- c:\documents and settings\actr\Application Data\Malwarebytes
2011-03-30 13:09 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 13:09 . 2011-03-30 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 13:09 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 13:08 . 2011-03-31 13:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 12:54 . 2011-03-30 12:54 -------- d-----w- c:\program files\CCleaner
2011-03-30 03:36 . 2011-03-30 03:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-29 15:56 . 2011-03-29 15:56 0 ----a-w- c:\windows\Qrevocayewidu.bin
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-11 23:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 23:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 23:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 23:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]
"nwiz"="nwiz.exe" [2006-03-22 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-22 73728]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"NvMediaCenter"="NvMCTray.dll" [2006-03-22 86016]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-12-20 125632]
"V0400Mon.exe"="c:\windows\V0400Mon.exe" [2007-08-23 28672]
"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2011-04-03 2179]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-11-21 22:08 813912 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 17:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-12-06 13:54 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\acl80\\allegro-ansi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Lulu\\Active\\actr6v6\\environment\\Start Environment.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\Acrobat.exe"=
"c:\\Program Files\\acl62\\allegro-ansi.exe"=
"c:\\Program Files\\acl81\\allegro-ansi.exe"=
"c:\\Program Files\\Unreal Tournament 2004\\System\\UT2004x.exe"=
"c:\\Program Files\\Aptima\\DDD 4.0\\Server\\SimCoreServerGUI.exe"=
"c:\\UT2004\\System\\UCC.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\UT2004\\Tools\\WSS-0.5.0\\WSS.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\paswstat.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\paswstat.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\MATLAB\\R2009a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Documents and Settings\\actr\\My Documents\\Gantt\\endeavour-mgmt-1.23\\endeavour-mgmt-1.23\\jre\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\NetworkActiv AUTAPF 1.1\\NetworkActivAUTAPFv1.1.exe"=
"c:\\Documents and Settings\\actr\\My Documents\\CL Stuff\\OpenCyc\\opencyc-1.0\\server\\cyc\\run\\bin\\opencyc.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcCEX.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcDDE.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcPost.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcPrinterSelect.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcRoute.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4005:UDP"= 4005:UDP:SBCL/XEmacs
"4005:TCP"= 4005:TCP:SBCL/XEmacs
"1433:TCP"= 1433:TCP:mssql
"1947:TCP"= 1947:TCP:*:Disabled:HASP SRM
"1947:UDP"= 1947:UDP:*:Disabled:HASP SRM
"5900:TCP"= 5900:TCP:VNC
"49300:TCP"= 49300:TCP:*:Disabled:PrintWhere.49300
"49301:TCP"= 49301:TCP:*:Disabled:PrintWhere.49301
"49302:TCP"= 49302:TCP:*:Disabled:PrintWhere.49302
"49303:TCP"= 49303:TCP:*:Disabled:PrintWhere.49303
"49304:TCP"= 49304:TCP:*:Disabled:PrintWhere.49304
"50300:TCP"= 50300:TCP:*:Disabled:PrintWhere.50300
"50301:TCP"= 50301:TCP:*:Disabled:PrintWhere.50301
"50302:TCP"= 50302:TCP:*:Disabled:PrintWhere.50302
"50303:TCP"= 50303:TCP:*:Disabled:PrintWhere.50303
"50304:TCP"= 50304:TCP:*:Disabled:PrintWhere.50304
"48300:TCP"= 48300:TCP:*:Disabled:PrintWhere.48300
"48301:TCP"= 48301:TCP:*:Disabled:PrintWhere.48301
"48302:TCP"= 48302:TCP:*:Disabled:PrintWhere.48302
"48303:TCP"= 48303:TCP:*:Disabled:PrintWhere.48303
"48304:TCP"= 48304:TCP:*:Disabled:PrintWhere.48304
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/31/2011 1:01 PM 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/31/2011 2:48 AM 1405384]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [12/16/2008 4:34 PM 6016]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [5/5/2010 7:59 PM 583360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/6/2010 1:44 PM 102448]
S1 PDIDRV;PDIDRV; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/31/2011 2:48 AM 15232]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/20/2006 2:29 PM 116928]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [1/3/2010 7:22 PM 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [1/3/2010 7:22 PM 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [1/3/2010 7:22 PM 166720]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 9:17 AM 2805000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{38FD2B13-BFF4-451C-B2F1-24A918732021}]
2008-04-14 00:12 78848 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-31 06:48]
.
2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2506267691-1926659138-1469177718-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2506267691-1926659138-1469177718-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-01 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-08 21:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: mozilla.com\www
Trusted Zone: mozilla.org\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Notify-itlntfy - itlnfw32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 11:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\progra~1\SYMANT~1\vptray.exe
c:\program files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2011-04-03 11:18:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-03 15:18
.
Pre-Run: 6,161,108,992 bytes free
Post-Run: 7,557,468,160 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut
[spybotsd]
timeout.old=30
.
- - End Of File - - EC9B3633362B213663E16237306B7477
********************************************************
And now the new dds.log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by actr at 11:28:11.01 on Sun 04/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1104 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\V0400Mon.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\actr\Desktop\spyware_stuff\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [V0400Mon.exe] c:\windows\V0400Mon.exe
mRun: [Boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
Trusted Zone: cnet.com\download
Trusted Zone: mozilla.com\www
Trusted Zone: mozilla.org\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {38FD2B13-BFF4-451C-B2F1-24A918732021} - c:\windows\system32\msiexec.exe /fu {38FD2B13-BFF4-451C-B2F1-24A918732021} /q
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-31 64512]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-31 1405384]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-12-20 1814720]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-12-16 6016]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-6 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110330.003\naveng.sys [2011-3-30 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110330.003\navex15.sys [2011-3-30 1360760]
S1 PDIDRV;PDIDRV; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-31 15232]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-12-20 116928]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [2010-1-3 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [2010-1-3 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [2010-1-3 166720]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
.
=============== Created Last 30 ================
.
2011-04-03 14:37:15 -------- d-sha-r- C:\cmdcons
2011-04-03 14:16:25 98816 ----a-w- c:\windows\sed.exe
2011-04-03 14:16:25 89088 ----a-w- c:\windows\MBR.exe
2011-04-03 14:16:25 256512 ----a-w- c:\windows\PEV.exe
2011-04-03 14:16:25 161792 ----a-w- c:\windows\SWREG.exe
2011-04-01 11:01:38 -------- d-----w- c:\windows\system32\Adobe
2011-03-31 18:29:46 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-31 17:01:39 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-31 16:50:42 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2D59E2A1-9CCB-4414-9B00-67019E74C6FD}
2011-03-31 02:12:01 -------- d-----w- C:\!KillBox
2011-03-30 17:43:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\nGb06504oLlKb06504
2011-03-30 13:09:13 -------- d-----w- c:\docume~1\actr\applic~1\Malwarebytes
2011-03-30 13:09:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 13:09:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-30 13:09:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 13:08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 12:54:16 -------- d-----w- c:\program files\CCleaner
2011-03-29 15:56:29 0 ----a-w- c:\windows\Qrevocayewidu.bin
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 11:28:38.26 ===============
Hi again,
Are you familiar with these firewall port openings:
"4005:UDP"= 4005:UDP:SBCL/XEmacs
"4005:TCP"= 4005:TCP:SBCL/XEmacs
"1433:TCP"= 1433:TCP:mssql
"1947:TCP"= 1947:TCP:*:Disabled:HASP SRM
"1947:UDP"= 1947:UDP:*:Disabled:HASP SRM
"5900:TCP"= 5900:TCP:VNC
"49300:TCP"= 49300:TCP:*:Disabled:PrintWhere.49300
"49301:TCP"= 49301:TCP:*:Disabled:PrintWhere.49301
"49302:TCP"= 49302:TCP:*:Disabled:PrintWhere.49302
"49303:TCP"= 49303:TCP:*:Disabled:PrintWhere.49303
"49304:TCP"= 49304:TCP:*:Disabled:PrintWhere.49304
"50300:TCP"= 50300:TCP:*:Disabled:PrintWhere.50300
"50301:TCP"= 50301:TCP:*:Disabled:PrintWhere.50301
"50302:TCP"= 50302:TCP:*:Disabled:PrintWhere.50302
"50303:TCP"= 50303:TCP:*:Disabled:PrintWhere.50303
"50304:TCP"= 50304:TCP:*:Disabled:PrintWhere.50304
"48300:TCP"= 48300:TCP:*:Disabled:PrintWhere.48300
"48301:TCP"= 48301:TCP:*:Disabled:PrintWhere.48301
"48302:TCP"= 48302:TCP:*:Disabled:PrintWhere.48302
"48303:TCP"= 48303:TCP:*:Disabled:PrintWhere.48303
"48304:TCP"= 48304:TCP:*:Disabled:PrintWhere.48304
Open notepad and copy/paste the text in the quotebox below into it:
DirLook::
c:\documents and settings\All Users\Application Data\nGb06504oLlKb06504
File::
c:\windows\Qrevocayewidu.bin
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Adobe Acrobat 7.0 Professional is not supported anymore and should be uninstalled. Same thing with Ad-Aware SE Personal.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 24 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is not checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
deathtoworms
2011-04-04, 01:11
Blade81,
Regarding the port openings, all are sort of known to me except the HASP SRM which I've learned is related to Alladin systems rights management. I inherited this machine over a year ago, so I am not sure what specifically this deals with. The SBCL/Xemacs are a programming/editor pair that talk to each other. mssql I believe is SQL server related- I've actually uninstalled that now. The VNC I also know about, and actually have uninstalled the related software as well. All of the PrintWhere entries were related to a utility call PrintAnywhere- I used this at a conference quite some time ago to print some documents at the site. I've uninstalled this as well.
I've run your Combofix script and report the results below. I've also removed Adobe Acrotbat, Ad-Aware, and all old Java and installed the latest as you instructed. I had trouble running ESET from explorer. I would accept the EULA, the window would go blank and sit for a while, then I would get a notice of the original Tab being reset due to an error. I would go through the steps again and nothing. I tried installing IE 8, but had the same results. I then installed the latest firefox and navigated to the site. It downloaded the software locally (since as you said it required explorer) and ran a scan. There were 3 threats found. This log is also included below. Finally I generated a new DDS log. Thank you again for all of your help...
ESET Threats:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage1.zip Win32/Bagle.gen.zip worm
C:\downloads\media.player.codec.pack.v3.9.6.setup.exe Win32/Adware.Toolbar.Dealio application
C:\downloads\videoediting\setup.exe a variant of Win32/Injector.CIW trojan
*********************************************************
Combofix log:
ComboFix 11-03-31.05 - actr 04/03/2011 13:34:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1085 [GMT -4:00]
Running from: c:\documents and settings\actr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\actr\Desktop\CFScript.txt
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\windows\Qrevocayewidu.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Qrevocayewidu.bin
.
.
((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
.
.
2011-04-01 15:14 . 2011-04-01 15:15 -------- d-----w- c:\program files\ERUNT
2011-04-01 11:01 . 2011-04-01 11:01 -------- d-----w- c:\windows\system32\Adobe
2011-03-31 18:29 . 2011-03-31 06:48 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-31 17:09 . 2011-03-31 17:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-03-31 17:01 . 2011-03-31 06:48 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-31 16:57 . 2011-03-31 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-31 16:50 . 2011-03-31 16:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2D59E2A1-9CCB-4414-9B00-67019E74C6FD}
2011-03-31 02:12 . 2011-03-31 02:13 -------- d-----w- C:\!KillBox
2011-03-30 17:43 . 2011-03-30 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\nGb06504oLlKb06504
2011-03-30 13:09 . 2011-03-30 13:09 -------- d-----w- c:\documents and settings\actr\Application Data\Malwarebytes
2011-03-30 13:09 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 13:09 . 2011-03-30 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 13:09 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 13:08 . 2011-03-31 13:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 12:54 . 2011-03-30 12:54 -------- d-----w- c:\program files\CCleaner
2011-03-30 03:36 . 2011-03-30 03:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-11 23:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 23:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 23:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 23:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\nGb06504oLlKb06504 ----
.
2011-03-30 17:43 . 2011-03-30 17:43 192 ----a-w- c:\documents and settings\All Users\Application Data\nGb06504oLlKb06504\nGb06504oLlKb06504
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]
"nwiz"="nwiz.exe" [2006-03-22 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-22 73728]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"NvMediaCenter"="NvMCTray.dll" [2006-03-22 86016]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-12-20 125632]
"V0400Mon.exe"="c:\windows\V0400Mon.exe" [2007-08-23 28672]
"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2011-04-03 2179]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-11-21 22:08 813912 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 17:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-12-06 13:54 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\acl80\\allegro-ansi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Lulu\\Active\\actr6v6\\environment\\Start Environment.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\Acrobat.exe"=
"c:\\Program Files\\acl62\\allegro-ansi.exe"=
"c:\\Program Files\\acl81\\allegro-ansi.exe"=
"c:\\Program Files\\Unreal Tournament 2004\\System\\UT2004x.exe"=
"c:\\Program Files\\Aptima\\DDD 4.0\\Server\\SimCoreServerGUI.exe"=
"c:\\UT2004\\System\\UCC.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\UT2004\\Tools\\WSS-0.5.0\\WSS.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\paswstat.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\paswstat.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\MATLAB\\R2009a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Documents and Settings\\actr\\My Documents\\Gantt\\endeavour-mgmt-1.23\\endeavour-mgmt-1.23\\jre\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\NetworkActiv AUTAPF 1.1\\NetworkActivAUTAPFv1.1.exe"=
"c:\\Documents and Settings\\actr\\My Documents\\CL Stuff\\OpenCyc\\opencyc-1.0\\server\\cyc\\run\\bin\\opencyc.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcCEX.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcDDE.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcPost.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcPrinterSelect.exe"=
"c:\\Program Files\\PrinterOn Corporation\\PrintWhere 3.5\\pwcRoute.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4005:UDP"= 4005:UDP:SBCL/XEmacs
"4005:TCP"= 4005:TCP:SBCL/XEmacs
"1433:TCP"= 1433:TCP:mssql
"1947:TCP"= 1947:TCP:*:Disabled:HASP SRM
"1947:UDP"= 1947:UDP:*:Disabled:HASP SRM
"5900:TCP"= 5900:TCP:VNC
"49300:TCP"= 49300:TCP:*:Disabled:PrintWhere.49300
"49301:TCP"= 49301:TCP:*:Disabled:PrintWhere.49301
"49302:TCP"= 49302:TCP:*:Disabled:PrintWhere.49302
"49303:TCP"= 49303:TCP:*:Disabled:PrintWhere.49303
"49304:TCP"= 49304:TCP:*:Disabled:PrintWhere.49304
"50300:TCP"= 50300:TCP:*:Disabled:PrintWhere.50300
"50301:TCP"= 50301:TCP:*:Disabled:PrintWhere.50301
"50302:TCP"= 50302:TCP:*:Disabled:PrintWhere.50302
"50303:TCP"= 50303:TCP:*:Disabled:PrintWhere.50303
"50304:TCP"= 50304:TCP:*:Disabled:PrintWhere.50304
"48300:TCP"= 48300:TCP:*:Disabled:PrintWhere.48300
"48301:TCP"= 48301:TCP:*:Disabled:PrintWhere.48301
"48302:TCP"= 48302:TCP:*:Disabled:PrintWhere.48302
"48303:TCP"= 48303:TCP:*:Disabled:PrintWhere.48303
"48304:TCP"= 48304:TCP:*:Disabled:PrintWhere.48304
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/31/2011 1:01 PM 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/31/2011 2:48 AM 1405384]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [12/16/2008 4:34 PM 6016]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [5/5/2010 7:59 PM 583360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/6/2010 1:44 PM 102448]
S1 PDIDRV;PDIDRV; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/31/2011 2:48 AM 15232]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/20/2006 2:29 PM 116928]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [1/3/2010 7:22 PM 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [1/3/2010 7:22 PM 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [1/3/2010 7:22 PM 166720]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 9:17 AM 2805000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{38FD2B13-BFF4-451C-B2F1-24A918732021}]
2008-04-14 00:12 78848 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-31 06:48]
.
2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2506267691-1926659138-1469177718-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2506267691-1926659138-1469177718-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-03 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-08 21:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: mozilla.com\www
Trusted Zone: mozilla.org\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 13:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-03 13:48:00
ComboFix-quarantined-files.txt 2011-04-03 17:47
.
Pre-Run: 7,526,055,936 bytes free
Post-Run: 7,493,120,000 bytes free
.
- - End Of File - - 2A39569B6E8F87D8F39012FFD78C50E6
*********************************************************
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by actr at 19:01:01.17 on Sun 04/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1179 [GMT -4:00]
.
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\V0400Mon.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Documents and Settings\actr\Desktop\spyware_stuff\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [V0400Mon.exe] c:\windows\V0400Mon.exe
mRun: [Boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
Trusted Zone: cnet.com\download
Trusted Zone: eset.eu\www
Trusted Zone: mozilla.com\www
Trusted Zone: mozilla.org\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {38FD2B13-BFF4-451C-B2F1-24A918732021} - c:\windows\system32\msiexec.exe /fu {38FD2B13-BFF4-451C-B2F1-24A918732021} /q
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\actr\applic~1\mozilla\firefox\profiles\5skk9u2r.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-12-20 1814720]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-6 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110330.003\naveng.sys [2011-3-30 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110330.003\navex15.sys [2011-3-30 1360760]
S1 PDIDRV;PDIDRV; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-12-20 116928]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [2010-1-3 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [2010-1-3 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [2010-1-3 166720]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
.
=============== Created Last 30 ================
.
2011-04-03 20:01:37 -------- d-----w- c:\program files\ESET
2011-04-03 19:56:55 -------- d-sh--w- c:\documents and settings\actr\IECompatCache
2011-04-03 19:48:52 -------- dc-h--w- c:\windows\ie8
2011-04-03 19:13:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-03 18:13:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\PrinterOn Corporation
2011-04-03 14:37:15 -------- d-sha-r- C:\cmdcons
2011-04-03 14:16:25 98816 ----a-w- c:\windows\sed.exe
2011-04-03 14:16:25 89088 ----a-w- c:\windows\MBR.exe
2011-04-03 14:16:25 256512 ----a-w- c:\windows\PEV.exe
2011-04-03 14:16:25 161792 ----a-w- c:\windows\SWREG.exe
2011-04-01 11:01:38 -------- d-----w- c:\windows\system32\Adobe
2011-03-31 02:12:01 -------- d-----w- C:\!KillBox
2011-03-30 17:43:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\nGb06504oLlKb06504
2011-03-30 13:09:13 -------- d-----w- c:\docume~1\actr\applic~1\Malwarebytes
2011-03-30 13:09:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 13:09:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-30 13:09:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 13:08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 12:54:16 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-04-03 19:13:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 19:02:09.17 ===============
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\documents and settings\All Users\Application Data\nGb06504oLlKb06504
File::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage1.zip
C:\downloads\media.player.codec.pack.v3.9.6.setup.exe
C:\downloads\videoediting\setup.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4005:UDP"=-
"4005:TCP"=-
"1433:TCP"=-
"1947:TCP"=-
"1947:UDP"=-
"5900:TCP"=-
"49300:TCP"=-
"49301:TCP"=-
"49302:TCP"=-
"49303:TCP"=-
"49304:TCP"=-
"50300:TCP"=-
"50301:TCP"=-
"50302:TCP"=-
"50303:TCP"=-
"50304:TCP"=-
"48300:TCP"=-
"48301:TCP"=-
"48302:TCP"=-
"48303:TCP"=-
"48304:TCP"=-
DDS::
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. How's the system running?
deathtoworms
2011-04-04, 15:50
Computer running much better now, and I can actually get to WIndows Update which is nice. I really can't believe how bad this infection was. I'm actually very anal about security, and I am still not sure how this happened, but obviously I was not careful enough. Do you have any suggestions toward locking down my computer? Anyway, Below is the latest Combofix log. And thanks again for all of your help thus far...
ComboFix 11-03-31.05 - actr 04/04/2011 9:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1312 [GMT -4:00]
Running from: c:\documents and settings\actr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\actr\Desktop\CFScript.txt
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage1.zip"
"c:\downloads\media.player.codec.pack.v3.9.6.setup.exe"
"c:\downloads\videoediting\setup.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\nGb06504oLlKb06504
c:\documents and settings\All Users\Application Data\nGb06504oLlKb06504\nGb06504oLlKb06504
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MeMediaAdVantage1.zip
c:\downloads\media.player.codec.pack.v3.9.6.setup.exe
c:\downloads\videoediting\setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
.
.
2011-04-03 20:01 . 2011-04-03 20:01 -------- d-----w- c:\program files\ESET
2011-04-03 19:56 . 2011-04-03 19:56 -------- d-sh--w- c:\documents and settings\actr\IECompatCache
2011-04-03 19:48 . 2011-04-03 19:50 -------- dc-h--w- c:\windows\ie8
2011-04-03 19:14 . 2011-04-03 19:14 -------- d-----w- c:\program files\Common Files\Java
2011-04-03 19:13 . 2011-04-03 19:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-03 18:13 . 2011-04-03 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PrinterOn Corporation
2011-04-01 15:14 . 2011-04-01 15:15 -------- d-----w- c:\program files\ERUNT
2011-04-01 11:01 . 2011-04-01 11:01 -------- d-----w- c:\windows\system32\Adobe
2011-03-31 17:09 . 2011-03-31 17:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-03-31 16:57 . 2011-04-03 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-31 02:12 . 2011-03-31 02:13 -------- d-----w- C:\!KillBox
2011-03-30 13:09 . 2011-03-30 13:09 -------- d-----w- c:\documents and settings\actr\Application Data\Malwarebytes
2011-03-30 13:09 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 13:09 . 2011-03-30 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 13:09 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 13:08 . 2011-03-31 13:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 12:54 . 2011-03-30 12:54 -------- d-----w- c:\program files\CCleaner
2011-03-30 03:36 . 2011-03-30 03:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-03 19:13 . 2010-05-10 23:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:53 . 2004-08-11 23:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 23:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 23:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 23:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-04-03 19:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-03_17.45.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-03 19:53 . 2011-04-03 19:53 16384 c:\windows\Temp\Perflib_Perfdata_148.dat
- 2007-02-26 21:56 . 2009-01-07 23:21 26144 c:\windows\system32\spupdsvc.exe
+ 2007-02-26 21:56 . 2009-01-07 22:21 26144 c:\windows\system32\spupdsvc.exe
- 2007-03-02 21:52 . 2009-01-07 23:20 16928 c:\windows\system32\spmsg.dll
+ 2007-03-02 21:52 . 2009-01-07 22:20 16928 c:\windows\system32\spmsg.dll
- 2004-08-11 23:00 . 2009-03-08 09:31 46592 c:\windows\system32\pngfilt.dll
+ 2004-08-11 23:00 . 2009-03-08 08:31 46592 c:\windows\system32\pngfilt.dll
+ 2004-08-11 23:00 . 2011-04-03 18:40 80718 c:\windows\system32\perfc009.dat
- 2006-06-29 13:05 . 2009-01-07 23:20 23552 c:\windows\system32\normaliz.dll
+ 2006-06-29 13:05 . 2009-01-07 22:20 23552 c:\windows\system32\normaliz.dll
- 2006-06-28 22:59 . 2009-01-07 23:20 24576 c:\windows\system32\nlsdl.dll
+ 2006-06-28 22:59 . 2009-01-07 22:20 24576 c:\windows\system32\nlsdl.dll
+ 2004-08-11 23:00 . 2009-03-08 08:31 48128 c:\windows\system32\mshtmler.dll
- 2004-08-11 23:00 . 2009-03-08 09:31 48128 c:\windows\system32\mshtmler.dll
- 2004-08-11 23:00 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-11 23:00 . 2009-03-08 08:31 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-11 23:00 . 2009-03-08 08:31 45568 c:\windows\system32\mshta.exe
- 2004-08-11 23:00 . 2009-03-08 09:31 45568 c:\windows\system32\mshta.exe
+ 2006-10-17 16:58 . 2009-03-08 08:31 13312 c:\windows\system32\msfeedssync.exe
- 2006-10-17 16:58 . 2009-03-08 09:31 13312 c:\windows\system32\msfeedssync.exe
+ 2006-11-08 02:03 . 2009-03-08 08:31 55296 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 02:03 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-11 23:00 . 2009-03-08 08:34 43008 c:\windows\system32\licmgr10.dll
+ 2004-08-11 23:00 . 2009-03-08 08:33 25600 c:\windows\system32\jsproxy.dll
- 2004-08-11 23:00 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-11 23:00 . 2009-03-08 08:32 94720 c:\windows\system32\inseng.dll
- 2004-08-11 23:00 . 2009-03-08 09:32 94720 c:\windows\system32\inseng.dll
- 2004-08-11 23:00 . 2009-03-08 09:31 34816 c:\windows\system32\imgutil.dll
+ 2004-08-11 23:00 . 2009-03-08 08:31 34816 c:\windows\system32\imgutil.dll
+ 2006-11-07 08:26 . 2009-03-08 08:32 36864 c:\windows\system32\ieudinit.exe
- 2006-11-07 08:26 . 2009-03-08 09:32 36864 c:\windows\system32\ieudinit.exe
+ 2004-08-11 23:00 . 2009-03-08 08:32 71680 c:\windows\system32\iesetup.dll
- 2004-08-11 23:00 . 2009-03-08 09:32 71680 c:\windows\system32\iesetup.dll
- 2004-08-11 23:00 . 2009-03-08 09:32 55808 c:\windows\system32\iernonce.dll
+ 2004-08-11 23:00 . 2009-03-08 08:32 55808 c:\windows\system32\iernonce.dll
+ 2006-06-29 13:05 . 2009-01-07 22:20 26112 c:\windows\system32\idndl.dll
- 2006-06-29 13:05 . 2009-01-07 23:20 26112 c:\windows\system32\idndl.dll
+ 2006-10-17 16:58 . 2009-03-08 08:31 59904 c:\windows\system32\icardie.dll
- 2006-10-17 16:58 . 2009-03-08 09:31 59904 c:\windows\system32\icardie.dll
- 2007-02-26 21:47 . 2009-03-08 09:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-02-26 21:47 . 2009-03-08 08:31 46592 c:\windows\system32\dllcache\pngfilt.dll
- 2006-10-17 16:28 . 2009-03-08 09:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2006-10-17 16:28 . 2009-03-08 08:31 48128 c:\windows\system32\dllcache\mshtmler.dll
- 2007-02-26 21:47 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-02-26 21:47 . 2009-03-08 08:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-10-17 16:56 . 2009-03-08 08:31 45568 c:\windows\system32\dllcache\mshta.exe
- 2006-10-17 16:56 . 2009-03-08 09:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2007-05-13 21:25 . 2009-03-08 08:31 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-13 21:25 . 2010-12-20 23:59 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2006-10-17 17:05 . 2009-03-08 08:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2007-02-26 21:47 . 2009-03-08 08:33 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2007-02-26 21:47 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-02-26 21:47 . 2009-03-08 08:32 94720 c:\windows\system32\dllcache\inseng.dll
- 2007-02-26 21:47 . 2009-03-08 09:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2006-10-17 16:57 . 2009-03-08 08:31 34816 c:\windows\system32\dllcache\imgutil.dll
- 2006-10-17 16:57 . 2009-03-08 09:31 34816 c:\windows\system32\dllcache\imgutil.dll
- 2006-11-07 08:26 . 2009-03-08 09:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2006-11-07 08:26 . 2009-03-08 08:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2006-11-07 08:26 . 2009-03-08 08:32 55808 c:\windows\system32\dllcache\iernonce.dll
- 2006-11-07 08:26 . 2009-03-08 09:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2007-08-20 10:04 . 2009-03-08 08:31 59904 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2009-03-08 09:31 59904 c:\windows\system32\dllcache\icardie.dll
- 2006-10-17 16:44 . 2009-03-08 09:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2006-10-17 16:44 . 2009-03-08 08:24 68608 c:\windows\system32\dllcache\hmmapi.dll
- 2009-03-08 09:33 . 2009-03-08 09:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2009-03-08 08:33 . 2009-03-08 08:33 18944 c:\windows\system32\dllcache\corpol.dll
- 2006-11-07 08:26 . 2009-03-08 09:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2006-11-07 08:26 . 2009-03-08 08:32 72704 c:\windows\system32\dllcache\admparse.dll
- 2004-08-11 23:00 . 2009-03-08 09:33 18944 c:\windows\system32\corpol.dll
+ 2004-08-11 23:00 . 2009-03-08 08:33 18944 c:\windows\system32\corpol.dll
+ 2007-03-02 20:41 . 2011-04-03 19:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-02 20:41 . 2011-04-03 15:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-02 20:41 . 2011-04-03 15:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-03-02 20:41 . 2011-04-03 19:53 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-03-02 20:41 . 2011-04-03 19:53 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-03-02 20:41 . 2011-04-03 15:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-11 23:00 . 2009-03-08 09:32 72704 c:\windows\system32\admparse.dll
+ 2004-08-11 23:00 . 2009-03-08 08:32 72704 c:\windows\system32\admparse.dll
+ 2011-04-03 19:50 . 2009-03-08 18:23 58464 c:\windows\ie8\spuninst\iecustom.dll
- 2009-11-11 17:01 . 2009-03-08 19:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 44544 c:\windows\ie8\pngfilt.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 44544 c:\windows\ie8\pngfilt.dll
- 2009-11-11 17:00 . 2006-10-17 16:28 48128 c:\windows\ie8\mshtmler.dll
+ 2011-04-03 19:48 . 2006-10-17 16:28 48128 c:\windows\ie8\mshtmler.dll
+ 2011-04-03 19:48 . 2006-10-17 16:56 45568 c:\windows\ie8\mshta.exe
- 2009-11-11 17:00 . 2006-10-17 16:56 45568 c:\windows\ie8\mshta.exe
- 2009-11-11 17:00 . 2006-10-17 16:58 12288 c:\windows\ie8\msfeedssync.exe
+ 2011-04-03 19:48 . 2006-10-17 16:58 12288 c:\windows\ie8\msfeedssync.exe
- 2009-11-11 17:00 . 2008-12-20 23:15 52224 c:\windows\ie8\msfeedsbs.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 52224 c:\windows\ie8\msfeedsbs.dll
- 2009-11-11 17:00 . 2006-10-17 17:05 40960 c:\windows\ie8\licmgr10.dll
+ 2011-04-03 19:48 . 2006-10-17 17:05 40960 c:\windows\ie8\licmgr10.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 27648 c:\windows\ie8\jsproxy.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 27648 c:\windows\ie8\jsproxy.dll
- 2009-11-11 17:00 . 2006-11-07 08:26 92672 c:\windows\ie8\inseng.dll
+ 2011-04-03 19:48 . 2006-11-07 08:26 92672 c:\windows\ie8\inseng.dll
+ 2011-04-03 19:48 . 2006-10-17 16:57 36352 c:\windows\ie8\imgutil.dll
- 2009-11-11 17:00 . 2006-10-17 16:57 36352 c:\windows\ie8\imgutil.dll
+ 2011-04-03 19:48 . 2006-11-07 08:26 55296 c:\windows\ie8\iesetup.dll
- 2009-11-11 17:00 . 2006-11-07 08:26 55296 c:\windows\ie8\iesetup.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 44544 c:\windows\ie8\iernonce.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 44544 c:\windows\ie8\iernonce.dll
+ 2011-04-03 19:48 . 2009-08-29 07:36 78336 c:\windows\ie8\ieencode.dll
+ 2011-04-03 19:48 . 2008-12-19 09:10 70656 c:\windows\ie8\ie4uinit.exe
- 2009-11-11 17:00 . 2008-12-19 09:10 70656 c:\windows\ie8\ie4uinit.exe
- 2009-11-11 17:00 . 2008-12-20 23:15 63488 c:\windows\ie8\icardie.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 63488 c:\windows\ie8\icardie.dll
+ 2011-04-03 19:48 . 2006-10-17 16:44 60416 c:\windows\ie8\hmmapi.dll
- 2009-11-11 17:00 . 2006-10-17 16:44 60416 c:\windows\ie8\hmmapi.dll
- 2009-11-11 17:00 . 2008-04-14 00:11 35328 c:\windows\ie8\corpol.dll
+ 2011-04-03 19:48 . 2008-04-14 00:11 35328 c:\windows\ie8\corpol.dll
- 2009-11-11 17:00 . 2006-11-07 08:26 71680 c:\windows\ie8\admparse.dll
+ 2011-04-03 19:48 . 2006-11-07 08:26 71680 c:\windows\ie8\admparse.dll
- 2007-03-02 21:53 . 2009-01-07 23:21 121856 c:\windows\system32\xmllite.dll
+ 2007-03-02 21:53 . 2009-01-07 22:21 121856 c:\windows\system32\xmllite.dll
+ 2004-08-11 23:00 . 2009-03-08 08:34 914944 c:\windows\system32\wininet.dll
+ 2006-10-17 17:05 . 2009-03-08 08:34 208384 c:\windows\system32\WinFXDocObj.exe
- 2006-10-17 17:05 . 2009-03-08 09:34 208384 c:\windows\system32\WinFXDocObj.exe
- 2004-08-11 23:00 . 2009-03-08 09:34 236544 c:\windows\system32\webcheck.dll
+ 2004-08-11 23:00 . 2009-03-08 08:34 236544 c:\windows\system32\webcheck.dll
+ 2004-08-11 23:00 . 2009-03-08 08:33 420352 c:\windows\system32\vbscript.dll
- 2004-08-11 23:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
- 2004-08-11 23:00 . 2009-03-08 09:34 105984 c:\windows\system32\url.dll
+ 2004-08-11 23:00 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll
+ 2004-08-11 23:00 . 2011-04-03 18:40 467668 c:\windows\system32\perfh009.dat
+ 2004-08-11 23:00 . 2009-03-08 08:34 109568 c:\windows\system32\occache.dll
+ 2004-08-11 23:00 . 2009-03-08 08:32 611840 c:\windows\system32\mstime.dll
- 2004-08-11 23:00 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll
+ 2004-08-11 23:00 . 2009-03-08 08:34 193536 c:\windows\system32\msrating.dll
- 2004-08-11 23:00 . 2009-03-08 09:34 193536 c:\windows\system32\msrating.dll
+ 2004-08-11 23:00 . 2009-03-08 08:22 156160 c:\windows\system32\msls31.dll
- 2004-08-11 23:00 . 2009-03-08 09:22 156160 c:\windows\system32\msls31.dll
+ 2006-11-08 02:03 . 2009-03-08 08:32 594432 c:\windows\system32\msfeeds.dll
- 2009-01-07 23:20 . 2009-01-07 23:20 265720 c:\windows\system32\msdbg2.dll
+ 2009-01-07 23:20 . 2009-01-07 22:20 265720 c:\windows\system32\msdbg2.dll
- 2004-08-11 23:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2004-08-11 23:00 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2011-04-03 19:13 . 2011-04-03 19:13 157472 c:\windows\system32\javaws.exe
+ 2011-04-03 19:13 . 2011-04-03 19:13 145184 c:\windows\system32\javaw.exe
- 2010-05-10 23:34 . 2010-04-12 21:29 145184 c:\windows\system32\javaw.exe
- 2010-05-10 23:34 . 2010-04-12 21:29 145184 c:\windows\system32\java.exe
+ 2011-04-03 19:13 . 2011-04-03 19:13 145184 c:\windows\system32\java.exe
- 2006-11-08 02:03 . 2009-03-08 09:22 164352 c:\windows\system32\ieui.dll
+ 2006-11-08 02:03 . 2009-03-08 08:22 164352 c:\windows\system32\ieui.dll
+ 2004-08-11 23:00 . 2009-03-08 08:31 183808 c:\windows\system32\iepeers.dll
+ 2004-08-11 23:00 . 2009-03-08 18:09 391536 c:\windows\system32\iedkcs32.dll
- 2006-10-17 16:27 . 2009-03-08 09:11 445952 c:\windows\system32\ieapfltr.dll
+ 2006-10-17 16:27 . 2009-03-08 08:11 445952 c:\windows\system32\ieapfltr.dll
- 2004-08-11 23:00 . 2009-03-08 09:32 163840 c:\windows\system32\ieakui.dll
+ 2004-08-11 23:00 . 2009-03-08 08:32 163840 c:\windows\system32\ieakui.dll
+ 2004-08-11 23:00 . 2009-03-08 08:33 229376 c:\windows\system32\ieaksie.dll
- 2004-08-11 23:00 . 2009-03-08 09:33 229376 c:\windows\system32\ieaksie.dll
- 2004-08-11 23:00 . 2009-03-08 09:33 125952 c:\windows\system32\ieakeng.dll
+ 2004-08-11 23:00 . 2009-03-08 08:33 125952 c:\windows\system32\ieakeng.dll
+ 2004-08-11 23:00 . 2009-03-08 08:32 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-11 23:06 . 2011-04-03 18:19 299640 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-11 23:00 . 2009-03-08 08:31 216064 c:\windows\system32\dxtrans.dll
- 2004-08-11 23:00 . 2009-03-08 09:31 216064 c:\windows\system32\dxtrans.dll
- 2004-08-11 23:00 . 2009-03-08 09:31 348160 c:\windows\system32\dxtmsft.dll
+ 2004-08-11 23:00 . 2009-03-08 08:31 348160 c:\windows\system32\dxtmsft.dll
+ 2007-02-26 21:47 . 2009-03-08 08:34 914944 c:\windows\system32\dllcache\wininet.dll
+ 2006-11-08 02:03 . 2009-03-08 08:34 236544 c:\windows\system32\dllcache\webcheck.dll
- 2006-11-08 02:03 . 2009-03-08 09:34 236544 c:\windows\system32\dllcache\webcheck.dll
- 2007-02-26 21:48 . 2009-03-08 09:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2007-02-26 21:48 . 2009-03-08 08:33 759296 c:\windows\system32\dllcache\VGX.dll
- 2008-05-09 10:53 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53 . 2009-03-08 08:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2006-10-17 17:05 . 2009-03-08 08:34 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 17:05 . 2009-03-08 09:34 105984 c:\windows\system32\dllcache\url.dll
- 2009-01-07 23:20 . 2009-01-07 23:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-07 22:20 . 2009-01-07 22:20 134144 c:\windows\system32\dllcache\sqmapi.dll
- 2009-01-07 23:20 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-01-07 22:20 . 2009-01-07 22:20 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2006-10-17 17:04 . 2009-03-08 08:34 109568 c:\windows\system32\dllcache\occache.dll
- 2007-02-26 21:47 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-02-26 21:47 . 2009-03-08 08:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-02-26 21:47 . 2009-03-08 08:34 193536 c:\windows\system32\dllcache\msrating.dll
- 2007-02-26 21:47 . 2009-03-08 09:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2006-11-08 02:03 . 2009-03-08 08:22 156160 c:\windows\system32\dllcache\msls31.dll
- 2006-11-08 02:03 . 2009-03-08 09:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2007-05-13 21:25 . 2009-03-08 08:32 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-05-09 10:53 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2006-10-17 17:04 . 2009-03-08 18:09 638816 c:\windows\system32\dllcache\iexplore.exe
- 2006-10-17 17:04 . 2009-03-08 19:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2007-02-26 21:47 . 2009-03-08 08:31 183808 c:\windows\system32\dllcache\iepeers.dll
+ 2006-11-07 08:27 . 2009-03-08 18:09 391536 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-05-13 21:25 . 2009-03-08 09:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
+ 2007-05-13 21:25 . 2009-03-08 08:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
- 2006-11-07 08:25 . 2009-03-08 09:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2006-11-07 08:25 . 2009-03-08 08:32 163840 c:\windows\system32\dllcache\ieakui.dll
- 2006-11-07 08:27 . 2009-03-08 09:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 08:27 . 2009-03-08 08:33 229376 c:\windows\system32\dllcache\ieaksie.dll
- 2006-11-07 08:26 . 2009-03-08 09:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-11-07 08:26 . 2009-03-08 08:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-11-07 08:26 . 2009-03-08 08:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-02-26 21:47 . 2009-03-08 08:31 216064 c:\windows\system32\dllcache\dxtrans.dll
- 2007-02-26 21:47 . 2009-03-08 09:31 216064 c:\windows\system32\dllcache\dxtrans.dll
- 2007-02-26 21:47 . 2009-03-08 09:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-02-26 21:47 . 2009-03-08 08:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-11-07 08:26 . 2009-03-08 09:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2006-11-07 08:26 . 2009-03-08 08:32 128512 c:\windows\system32\dllcache\advpack.dll
- 2004-08-11 23:00 . 2009-03-08 09:32 128512 c:\windows\system32\advpack.dll
+ 2004-08-11 23:00 . 2009-03-08 08:32 128512 c:\windows\system32\advpack.dll
+ 2011-04-03 19:14 . 2011-04-03 19:14 180224 c:\windows\Installer\4d06f.msi
+ 2011-04-03 19:13 . 2011-04-03 19:13 677376 c:\windows\Installer\4d061.msi
+ 2011-04-03 19:48 . 2008-12-20 23:15 826368 c:\windows\ie8\wininet.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 826368 c:\windows\ie8\wininet.dll
+ 2011-04-03 19:48 . 2006-10-17 17:05 206336 c:\windows\ie8\winfxdocobj.exe
- 2009-11-11 17:00 . 2006-10-17 17:05 206336 c:\windows\ie8\winfxdocobj.exe
+ 2011-04-03 19:48 . 2008-12-20 23:15 233472 c:\windows\ie8\webcheck.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 233472 c:\windows\ie8\webcheck.dll
- 2009-11-11 17:00 . 2007-07-12 23:31 765952 c:\windows\ie8\vgx.dll
+ 2011-04-03 19:48 . 2007-07-12 23:31 765952 c:\windows\ie8\vgx.dll
- 2009-11-11 17:00 . 2008-05-09 10:53 430080 c:\windows\ie8\vbscript.dll
+ 2011-04-03 19:48 . 2008-05-09 10:53 430080 c:\windows\ie8\vbscript.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 105984 c:\windows\ie8\url.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 105984 c:\windows\ie8\url.dll
+ 2011-04-03 19:50 . 2009-01-07 22:21 382496 c:\windows\ie8\spuninst\updspapi.dll
- 2009-11-11 17:01 . 2009-01-07 23:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2011-04-03 19:50 . 2009-01-07 22:20 231456 c:\windows\ie8\spuninst\spuninst.exe
- 2009-11-11 17:01 . 2009-01-07 23:20 231456 c:\windows\ie8\spuninst\spuninst.exe
- 2009-11-11 17:00 . 2006-09-06 21:43 213216 c:\windows\ie8\spuninst.exe
+ 2011-04-03 19:48 . 2006-09-06 21:43 213216 c:\windows\ie8\spuninst.exe
- 2009-11-11 17:00 . 2008-12-20 23:15 102912 c:\windows\ie8\occache.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 102912 c:\windows\ie8\occache.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 671232 c:\windows\ie8\mstime.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 671232 c:\windows\ie8\mstime.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 193024 c:\windows\ie8\msrating.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 193024 c:\windows\ie8\msrating.dll
- 2009-11-11 17:00 . 2006-11-08 02:03 156160 c:\windows\ie8\msls31.dll
+ 2011-04-03 19:48 . 2006-11-08 02:03 156160 c:\windows\ie8\msls31.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 477696 c:\windows\ie8\mshtmled.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 477696 c:\windows\ie8\mshtmled.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 459264 c:\windows\ie8\msfeeds.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 459264 c:\windows\ie8\msfeeds.dll
- 2009-11-11 17:00 . 2008-05-09 10:53 512000 c:\windows\ie8\jscript.dll
+ 2011-04-03 19:48 . 2008-05-09 10:53 512000 c:\windows\ie8\jscript.dll
- 2009-11-11 17:00 . 2008-12-19 05:25 634024 c:\windows\ie8\iexplore.exe
+ 2011-04-03 19:48 . 2008-12-19 05:25 634024 c:\windows\ie8\iexplore.exe
- 2009-11-11 17:00 . 2006-11-08 02:03 180736 c:\windows\ie8\ieui.dll
+ 2011-04-03 19:48 . 2006-11-08 02:03 180736 c:\windows\ie8\ieui.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 267776 c:\windows\ie8\iertutil.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 267776 c:\windows\ie8\iertutil.dll
+ 2011-04-03 19:48 . 2006-11-08 02:03 287744 c:\windows\ie8\ieproxy.dll
- 2009-11-11 17:00 . 2006-11-08 02:03 287744 c:\windows\ie8\ieproxy.dll
- 2009-11-11 17:00 . 2006-11-08 02:03 191488 c:\windows\ie8\iepeers.dll
+ 2011-04-03 19:48 . 2006-11-08 02:03 191488 c:\windows\ie8\iepeers.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 384512 c:\windows\ie8\iedkcs32.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 384512 c:\windows\ie8\iedkcs32.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 383488 c:\windows\ie8\ieapfltr.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 383488 c:\windows\ie8\ieapfltr.dll
+ 2011-04-03 19:48 . 2008-12-19 05:23 161792 c:\windows\ie8\ieakui.dll
- 2009-11-11 17:00 . 2008-12-19 05:23 161792 c:\windows\ie8\ieakui.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 230400 c:\windows\ie8\ieaksie.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 230400 c:\windows\ie8\ieaksie.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 153088 c:\windows\ie8\ieakeng.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 153088 c:\windows\ie8\ieakeng.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 214528 c:\windows\ie8\dxtrans.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 214528 c:\windows\ie8\dxtrans.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 347136 c:\windows\ie8\dxtmsft.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 347136 c:\windows\ie8\dxtmsft.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 124928 c:\windows\ie8\advpack.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 124928 c:\windows\ie8\advpack.dll
+ 2004-08-11 23:00 . 2009-03-08 08:34 1206784 c:\windows\system32\urlmon.dll
+ 2004-08-11 23:00 . 2009-03-08 08:41 5937152 c:\windows\system32\mshtml.dll
+ 2006-10-17 16:57 . 2009-03-08 08:32 1985024 c:\windows\system32\iertutil.dll
+ 2006-09-06 04:01 . 2009-02-07 01:07 3698584 c:\windows\system32\ieapfltr.dat
- 2006-09-06 04:01 . 2009-02-07 02:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2007-02-26 21:47 . 2009-03-08 08:34 1206784 c:\windows\system32\dllcache\urlmon.dll
+ 2009-01-07 22:20 . 2009-01-07 22:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
- 2009-01-07 23:20 . 2009-01-07 23:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
+ 2006-07-28 10:28 . 2009-03-08 08:41 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-13 21:25 . 2009-03-08 08:32 1985024 c:\windows\system32\dllcache\iertutil.dll
+ 2007-05-13 21:25 . 2009-02-07 01:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
- 2007-05-13 21:25 . 2009-02-07 02:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-01-07 22:20 . 2009-01-07 22:20 1022976 c:\windows\system32\dllcache\browseui.dll
- 2009-01-07 23:20 . 2009-01-07 23:20 1022976 c:\windows\system32\dllcache\browseui.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 1160192 c:\windows\ie8\urlmon.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 1160192 c:\windows\ie8\urlmon.dll
+ 2011-04-03 19:48 . 2009-01-17 02:35 3594752 c:\windows\ie8\mshtml.dll
- 2009-11-11 17:00 . 2009-01-17 02:35 3594752 c:\windows\ie8\mshtml.dll
+ 2011-04-03 19:48 . 2008-12-20 23:15 6066688 c:\windows\ie8\ieframe.dll
- 2009-11-11 17:00 . 2008-12-20 23:15 6066688 c:\windows\ie8\ieframe.dll
+ 2011-04-03 19:48 . 2007-04-17 09:28 2455488 c:\windows\ie8\ieapfltr.dat
- 2009-11-11 17:00 . 2007-04-17 09:28 2455488 c:\windows\ie8\ieapfltr.dat
+ 2006-11-08 02:03 . 2009-03-08 08:39 11063808 c:\windows\system32\ieframe.dll
+ 2007-05-13 21:25 . 2009-03-08 08:39 11063808 c:\windows\system32\dllcache\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]
"nwiz"="nwiz.exe" [2006-03-22 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-22 73728]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"NvMediaCenter"="NvMCTray.dll" [2006-03-22 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-12-20 125632]
"V0400Mon.exe"="c:\windows\V0400Mon.exe" [2007-08-23 28672]
"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2011-04-03 2179]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-11-21 22:08 813912 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 17:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-12-06 13:54 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\acl80\\allegro-ansi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Lulu\\Active\\actr6v6\\environment\\Start Environment.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\acl62\\allegro-ansi.exe"=
"c:\\Program Files\\acl81\\allegro-ansi.exe"=
"c:\\Program Files\\Unreal Tournament 2004\\System\\UT2004x.exe"=
"c:\\Program Files\\Aptima\\DDD 4.0\\Server\\SimCoreServerGUI.exe"=
"c:\\UT2004\\System\\UCC.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\UT2004\\Tools\\WSS-0.5.0\\WSS.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\paswstat.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics17\\paswstat.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\MATLAB\\R2009a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Documents and Settings\\actr\\My Documents\\Gantt\\endeavour-mgmt-1.23\\endeavour-mgmt-1.23\\jre\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\NetworkActiv AUTAPF 1.1\\NetworkActivAUTAPFv1.1.exe"=
"c:\\Documents and Settings\\actr\\My Documents\\CL Stuff\\OpenCyc\\opencyc-1.0\\server\\cyc\\run\\bin\\opencyc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [5/5/2010 7:59 PM 583360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/6/2010 1:44 PM 102448]
S1 PDIDRV;PDIDRV; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/20/2006 2:29 PM 116928]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [1/3/2010 7:22 PM 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [1/3/2010 7:22 PM 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [1/3/2010 7:22 PM 166720]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 9:17 AM 2805000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{38FD2B13-BFF4-451C-B2F1-24A918732021}]
2008-04-14 00:12 78848 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2506267691-1926659138-1469177718-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2506267691-1926659138-1469177718-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-04 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-08 21:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: eset.eu\www
Trusted Zone: mozilla.com\www
Trusted Zone: mozilla.org\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\actr\Application Data\Mozilla\Firefox\Profiles\5skk9u2r.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 09:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-04 09:34:17
ComboFix-quarantined-files.txt 2011-04-04 13:34
ComboFix2.txt 2011-04-03 17:48
.
Pre-Run: 8,183,554,048 bytes free
Post-Run: 8,111,091,712 bytes free
.
deathtoworms
2011-04-04, 16:08
Well, I tried to perform a Windows Update, but failed. Initially, I was getting the prompt at the top of the page saying to "Click Here to allow..." but before I could click, an error dialog popped saying "Failure to write instruction xxxxx" or something like that. I've rebooted, tried again, but now IE tries to restore the web site and fails and stops. Any ideas?
Hi,
Infection likely got itself in by exploiting vulnerable software (old Adobe Acrobat and Java are pretty commonly exploited 3rd party products).
Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Please try this (http://support.microsoft.com/kb/971058) regarding Windows Update issue (Fix It in default mode).
deathtoworms
2011-04-04, 20:37
Blade81,
Thanks again for all of your help. Got windows update working per your suggested fix, ran secunia and secured all software, and made the recommended changes you suggested for the Internet zone. I am also installing PrivateFirewall. Do you have other recommendations? All is looking good- I am so relieved not to have to reinstall my entire system. This really seems to have been a nasty one- the number of people asking for helps on this forum for this one bug is striking! ANd by the way, I have always kept autoupdates ON- it's just crazy that the bug disabled this feature. Hopefully I can prevent it in the future. Thanks so much for your help again, I appreciate it tremendously.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.