Mfeed.in Redirect Returns

ken545 · Jul 21, 2010

OK, do this, we are going to run a CF Script, but CF wont run all the way but will produce a log I need to see.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Dequarantine::

Code:

Dequarantine::
C:\Qoobox\Quarantine\c:\windows\system32\drivers\RASACD.SYS
Quit::

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again but it wont run all the way through. Post the log it produces please

dinosaur58 · Jul 22, 2010

Combofix DeQuarantine log

Here's the Combofix DeQuarantine log. Restarting Antivirus after Combofix run sometimes causes system unresponsive [except cursor movement]? Couldn't bring up Task Manager to see what process was causing this. D58
WWWWWWWWWWWWWWWWWWWWWWWWWw
ComboFix 10-07-21.01 - Administrator 07/21/2010 21:04:49.15.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1470 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-21 11:13 . 2010-07-21 11:13 4664667 ----a-w- C:\ComboFix.zip
2010-07-20 11:41 . 2004-08-04 07:00 8832 ----a-w- c:\windows\system32\dllcache\rasacd.sys
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 21:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-21 21:11:03
ComboFix-quarantined-files.txt 2010-07-22 03:11
ComboFix2.txt 2010-07-21 18:16

Pre-Run: 86,844,243,968 bytes free
Post-Run: 86,838,247,424 bytes free

- - End Of File - - DAF62AD5C4C64A0B6DD6C97E6B8FE4EA

ken545 · Jul 22, 2010

Did you run CF with the new script or did you drag an older one in by mistake ?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
RASACD.SYS
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

dinosaur58 · Jul 22, 2010

Systemlook log

Combofix automatically moves each script to the Qoobox folder after using it, so only new txt file on desktop = no mistake. Here's the Systemlook log. D58
WWWWWWWWWWW
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 07:23 on 22/07/2010 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "RASACD.SYS"
C:\WINDOWS\system32\dllcache\rasacd.sys --a--- 8832 bytes [11:41 20/07/2010] [07:00 04/08/2004] FE0D99D6F31E4FAD8159F690D68DED9C

-=End Of File=-

ken545 · Jul 22, 2010

Yep, but just double checking.

Drag Combofix to the trash and grab a fresh copy

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

Code:

FCopy::
C:\WINDOWS\system32\dllcache\rasacd.sys | c:\windows\system32\drivers\rasacd.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

dinosaur58 · Jul 22, 2010

Combofix Fcopy

Here's the log.D58
WWWWWWWWWWWWWWWWWWW
ComboFix 10-07-22.01 - Administrator 07/22/2010 11:24:59.16.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1414 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\rasacd.sys --> c:\windows\system32\drivers\rasacd.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-22 17:24 . 2004-08-04 07:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-07-22 17:24 . 2004-08-04 07:00 8832 ----a-w- c:\windows\system32\dllcache\rasacd.sys
2010-07-21 11:13 . 2010-07-21 11:13 4664667 ----a-w- C:\ComboFix.zip
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 11:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1256)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-22 11:31:25
ComboFix-quarantined-files.txt 2010-07-22 17:31
ComboFix2.txt 2010-07-22 03:18
ComboFix3.txt 2010-07-21 18:16

Pre-Run: 86,833,201,152 bytes free
Post-Run: 86,827,597,824 bytes free

- - End Of File - - 4511D803537CEF0BDAC0C6E7C111DB5A

ken545 · Jul 22, 2010

Looking so much better, still need to know about this file

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

C:\6bg39okp.exe <--This file

If the site is busy you can try this one

http://virusscan.jotti.org/en

How are things running now ?????

dinosaur58 · Jul 23, 2010

Getting there

Running pretty good. Up until the Fcopy run had been getting slow reponses on browser and WinExplorer, but that's all good now. No pop-ups, although I haven't been surfing/googling much. No rogue services/problems with antivirus hanging system. Note that the '6bg39okp.exe' file shows a Gmer mini icon in WinExplorer. Here's the log. D58
WWWWWWWWWWWWWWWWWW
Antivirus Version Last Update Result
AhnLab-V3 2010.07.23.00 2010.07.23 -
AntiVir 8.2.4.26 2010.07.22 -
Antiy-AVL 2.0.3.7 2010.07.22 -
Authentium 5.2.0.5 2010.07.21 -
Avast 4.8.1351.0 2010.07.22 -
Avast5 5.0.332.0 2010.07.22 -
AVG 9.0.0.851 2010.07.23 -
BitDefender 7.2 2010.07.23 -
CAT-QuickHeal 11.00 2010.07.22 -
ClamAV 0.96.0.3-git 2010.07.23 -
Comodo 5512 2010.07.23 -
DrWeb 5.0.2.03300 2010.07.23 -
Emsisoft 5.0.0.34 2010.07.23 -
eSafe 7.0.17.0 2010.07.22 Win32.TrojanHorse
eTrust-Vet 36.1.7729 2010.07.22 -
F-Prot 4.6.1.107 2010.07.23 -
F-Secure 9.0.15370.0 2010.07.23 -
Fortinet 4.1.143.0 2010.07.22 -
GData 21 2010.07.23 -
Ikarus T3.1.1.84.0 2010.07.23 -
Jiangmin 13.0.900 2010.07.22 -
Kaspersky 7.0.0.125 2010.07.23 -
McAfee 5.400.0.1158 2010.07.23 -
McAfee-GW-Edition 2010.1 2010.07.22 -
Microsoft 1.6004 2010.07.23 -
NOD32 5303 2010.07.22 -
Norman 6.05.11 2010.07.22 -
nProtect 2010-07-23.01 2010.07.23 -
Panda 10.0.2.7 2010.07.23 -
PCTools 7.0.3.5 2010.07.23 -
Prevx 3.0 2010.07.23 -
Rising 22.57.03.04 2010.07.22 -
Sophos 4.55.0 2010.07.22 -
Sunbelt 6624 2010.07.23 -
SUPERAntiSpyware 4.40.0.1006 2010.07.23 -
Symantec 20101.1.1.7 2010.07.23 -
TheHacker 6.5.2.1.322 2010.07.20 -
TrendMicro 9.120.0.1004 2010.07.22 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.23 -
VBA32 3.12.12.6 2010.07.22 -
ViRobot 2010.6.21.3896 2010.07.22 -
VirusBuster 5.0.27.0 2010.07.22 -
Additional information
File size: 293376 bytes
MD5...: f80f6e09e7f4bafe478ca0da6137e1e2
SHA1..: 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a
ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM
61tUXRd9IPb3cVZkyp/
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb3f40
timedatestamp.....: 0x4b2763f0 (Tue Dec 15 10:24:48 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6e000 0x47000 0x46200 7.93 7b777c30b7f75e5eb654691bb1616dcb
.rsrc 0xb5000 0x2000 0x1400 3.38 710fb4291f153e98a3a03f3473b8bfd6

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15281
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
packers (F-Prot): UPX

ken545 · Jul 23, 2010

Lets just take a closer look at this one

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:file
C:\6bg39okp.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

dinosaur58 · Jul 23, 2010

Latest SystemLook

SystemLook ran fast this time. Here's the log. Off to work again, back in ~9 hrs. D58
WWWWWWWWWW
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:42 on 22/07/2010 by Administrator (Administrator - Elevation successful)

========== file ==========

C:\6bg39okp.exe - File found and opened.
MD5: F80F6E09E7F4BAFE478CA0DA6137E1E2
Created at 11:36 on 07/07/2010
Modified at 11:36 on 07/07/2010
Size: 293376 bytes
Attributes: --a---
FileVersion: 1, 0, 15, 15281

-=End Of File=-

ken545 · Jul 23, 2010

What you can do is just delete the file manually, leave it in your recycle bin for about a week and if no programs scream for it than delete from the RC.

If everything is ok than I will close this thread

dinosaur58 · Jul 23, 2010

Looking good

File deleted. Have tried to reproduce various problems, but so far so good. Go ahead and close it, and once again - Thanks for all your help. D58

ken545 · Jul 23, 2010

Your very welcome,

Take care,
Ken

ken545 · Jul 30, 2010

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Mfeed.in Redirect Returns

ken545

Emeritus-Security Expert

dinosaur58

New member

ken545

Emeritus-Security Expert

dinosaur58

New member

ken545

Emeritus-Security Expert

dinosaur58

New member

ken545

Emeritus-Security Expert

dinosaur58

New member

ken545

Emeritus-Security Expert

dinosaur58

New member

ken545

Emeritus-Security Expert

dinosaur58

New member

ken545

Emeritus-Security Expert

ken545

Emeritus-Security Expert