PWS:win32/zbot.gen!AC after downloading Free File Opener

Status
Not open for further replies.
Wondering if you can understand the following: doc and settings/all users/documents access denied :police:. As far as I know I am always logged on as admin. This has been unaccessable for at least 2 years. it occured to me that that might be where all the HD is taken up, so I was wanting to look.

thanks!:)
 
Hello ecosarah

Is this a business/company machine?

I have cancelled the installation, and am hoping you are happy to advise me here
Click to expand...
Sounds as though the new version of Avira may not be compatible with the applications you listed. If you want to stick with Avira you'll have to uninstall those other applications.

The HD is full, and I dont know why. It is too full to run defrag.
Click to expand...
Lets see if we can find out what is taking up all of the space:

  1. WinDirStat

    • Please download WinDirStat by clicking here and save it to your desktop.
    • Once saved, open the program.
    • Make sure that All Local Drives is selected, then press OK and let it run.
    • Please post a screenshot of the results in your next reply.
 
Cannot get the prtSc to paste into here. Have put it into windows word, and copied from there, same problem.

The laptop is my personal one.

Yes sounds like avira isn't compatible, do you have any advice here: shall I disable the required progs?

thanks,
sarah
 
Hello ecosarah

Yes sounds like avira isn't compatible, do you have any advice here: shall I disable the required progs?
Click to expand...
Its really up to you. MBAM and S&D are good programs. I can provide some alternatives to Avira which may allow you to keep them if you wish.

Cannot get the prtSc to paste into here
Click to expand...
You need to upload the screenshot to a host such as photobucket, in order to link to it.

Once you run the scan and take a screenshot, it can be pasted into an application such as Paint.

Once pasted into paint, save the screenshot to your desktop as a JPEG file.

Once saved, go to your image host of choice (there are a few available, but I use photobucket) and upload the file into your account.

The screenshot will be displayed in your account. Copy the Direct Link to the image and post it back here.

If you run into any problems just come back and let me know :)
 
Hello ecosarah

Yes please suggest an alternative to Avira
Click to expand...
I will once we have taken care of the remaining issues. Until then, please keep your browsing to an absolute minimum.

WinDirStat is hopefully at
Click to expand...
It is. Good job :bigthumb:

Have discovered a chunk of the colours is ERDNT back up everyday for a number of days: says ERDNT/autobackup...

Dont think I have the space to be backing so much up so often?
Click to expand...
Aha, you have ERUNT configured to make daily backups. That may very well be it.

ERUNT is a tool that is used to create backups of your system registry. Once created, the backup are usually stored at %WINDIR%\ERDNT\AutoBackup in the forum of a folder named YYYY-MM-DD.

I cannot see how much space is being taken up by the backups from the screenshot you have posted.

How many backups are present and how much space are they taking up?
 
Hi JonTom,

7 folders, with dates as you say, 58.8mb per folder when I hover over the folder of each date. 17 and 18 march, then 25th onwards to today.:bigthumb:

best wishes,
sarah
 
Hello ecosarah

The majority of file space appears to be taken up by Documents and Settings. It may be worthwhile taking a look in there to see if there are any things that are not required, or that look suspicious.

Lets configure erunt to save a smaller number of backups:


  • By default ERUNT will save the last 30 copies of the registry.
  • Go to your Start button > Programs > Startup > Shortcut to AUTOBACK.EXE
  • Right click on > Shortcut to AUTOBACK.EXE and click on properties
  • The Target should already be highlighted
  • Right click on it and choose Copy
  • Paste it into Notepad or Word, it should look something like this: (the path may be different on your computer)

    Code: 
    "C:\Program Files\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow
  • Now add this to the end: /days:3 (after noprogresswindow - note the space between the "w" and the "/).
  • The number indicates the number of backups being saved, you can set it to what ever you want, 3 is reasonable but you can make it more or less if you wish.
  • The edited code should now look like this:

    Code: 
    "C:\Program Files\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow /days:3
  • Go back to the Shortcut to AUTOBACK.EXE, the Target should already be highlighted > hit your delete key > now copy and paste in the new target you created.
  • Make sure the Run: box says Minimized > click Apply and OK to close it out.
  • These automatic backups are stored in the C:\WINDOWS\ERDNT\AutoBackup folder.

Once you have adjusted Erunt to save the number of backups you require, navigate to (and delete) the older ones.

Once deleted empty the recycle bin.

If the above does not help matters let me know in your next reply.
 
Hello,
have done as suggested. Cannot run defrag as this requires 15% space and I now have 4% space!

Could you tell me where we have got with the Trojan?: I have not been using the computer except to try to ascertain how it is working to answer your questions, as I don't want to take any risks.

I could try running combofix to see if it will run now? Or is there another test you can suggest.

Have looked at docs and settings, have no idea how to tell if something is suspicious. The figures on the files add up to the total: eg music 7.6; pics 3.7; ebooks &vids 1; and other bits and pieces which could make up to 14.7. Then thunderbird is 2.6 (is that high??); all users .5; IBM tools 1; so this could come to 18.7 with the bits and pieces.

Lower down is a folder called 1386 with 462mb, dont know what this is?

thanks very much for all your help,

sarah
 
Hello ecosarah

Lower down is a folder called 1386 with 462mb, dont know what this is?
Click to expand...
The i386 folder is a required directory and can be left where it is.


Although we have dealt with all of the detections made by ESET, lets try the following:

Please delete the copy of Combofix on your desktop by dragging it to the recycle bin, then empty the bin.

  1. Please make file extensions Visible:

    • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
    • Un check "Hide extensions for known file types" boxes.
    • Close the window with "OK".

    Download a new copy of Combofix from the link below and rename it to jontom.com


    Link

    • Disable all of your security programs and run the renamed Combofix.
    • If the scan completes, please post the log in your next reply.
    • If the scan causes the machine to crash let me know.
 
Hi JonTom,

file extension box was already unticked.

renamed ComboFix,and it warned me about changing the file extension from .exe to .com (may make it unstable it said). followed instructions.

It ran until the bit before the dashes start coming across the screen below the writing about it scanning. The hard drive light stopped flashing, but then the screen went into screen saver (forgot to disable before hand) so I couldn't see what was happening, just that the hard drive light wasn't flashing. After 10 mins or so the laptop tried to standby, however it got stuck. The mouse arrow still moved but nothing happened. I shut it down with the power button.

thanks JonTom,:rockon:

sarah
 
Hello ecosarah

If you use this machine for any financial transactions, and if you have not already done so, please use an uninfected machine to change all of your passwords.

In the meantime I am conferring with others about your system issues. I'll get back to you as soon as I can.
 
Hello ecosarah

Lets try this:

Delete the copy of Combofix on your desktop as you did before and download a new copy to your desktop.

Once Combofix is on your desktop, disable all of you security (and you screensaver).


  • Click on your START button and then on RUN.
  • A run box will open.
  • Copy and paste the following command into the run box:

Combofix /nombr


  • Click on OK.
  • Allow Combofix to run unhindered.
  • If Combofix completes its run, please post the log in your next reply.
 
Keep meaning to say: Avira says it is out of date and my computer is at risk: do you remember I told you it wouldn't update due to some of the programs I have on here? so am wondering whether to do something about this now, so I dont get more malware on here, what do you think?

:) thanks
 
I wonder if there is some antimalware on here that I am not disabling? In the tray is Zone Alarm and Avira. I have checked that spybot is not on. Could there be a MS prog or something else that I haven't not allowed to show in tray, that is running, and therefore stopping ComboFix?
 
Hello ecosarah

or something to that effect
Click to expand...
Please post the exact message.

Could there be a MS prog or something else that I haven't not allowed to show in tray, that is running, and therefore stopping ComboFix?
Click to expand...
I do not believe so since Combofix also crashes when in safe mode (all non essential processes are disabled in safe mode).

Please provide a screenshot of the opened Documents and Settings tree opened from WinDirStat.

Remove your outdated Avira then download and install one of the following:

  1. Security programs

    • I have provided links to two trusted programs (just choose one).


    Once you have installed the program open it, update it and perform a full system scan.

    If anything is detected let me know (post the log) along with a new OTL scan.
 
Well the angels have finished singing alehula cos I've had a fright when pev.3XE wanted to enter my trusted zone. Checked, and found it is part of ComboFix, and then it took another 15mins of me holding my breath to come up with.... (fanfare):

ComboFix 12-03-31.03 - 1 Sarah 02/04/2012 9:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1005 [GMT 1:00]
Running from: c:\documents and settings\1 Sarah\Desktop\ComboFix.exe
Command switches used :: /nombr
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\1 Sarah\Application Data\Desktopicon
c:\documents and settings\1 Sarah\Application Data\Desktopicon\eBay.ico
c:\documents and settings\1 Sarah\Application Data\Desktopicon\uninst.exe
c:\documents and settings\1 Sarah\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\IBM\Updater\ucstartup.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\CF11881.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\pwdmon.dll
c:\windows\system32\regobj.dll
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_npf
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-03-29 17:50 . 2012-03-29 17:50 -------- d-----w- c:\program files\WinDirStat
2012-03-28 17:59 . 2012-03-28 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-03-27 22:34 . 2012-03-27 22:34 -------- d-----w- c:\program files\ESET
2012-03-25 14:07 . 2012-03-25 14:07 -------- dc----w- C:\_OTL
2012-03-18 02:28 . 2012-03-18 02:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-03-17 22:44 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-17 22:41 . 2012-03-17 22:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-03-17 18:34 . 2012-03-17 18:34 -------- d-----w- c:\program files\ERUNT
2012-03-17 08:39 . 2012-03-17 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 1980-01-01 07:00 1860096 ------w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-20 18:26 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-09 17:51 139784 ------w- c:\windows\system32\drivers\rdpwd.sys
2009-03-11 19:23 . 2009-03-11 19:15 69076264 -c--a-w- c:\program files\iTunesSetup.exe
2009-02-22 20:52 . 2009-02-22 20:52 270128 -c--a-w- c:\program files\utorrent.exe
2006-10-17 19:52 . 2006-10-17 19:52 2855080 -c----w- c:\program files\aawsepersonal.exe
2005-11-01 12:14 . 2005-11-01 12:12 1148416 -c----w- c:\program files\PA082.exe
2012-01-10 14:18 . 2012-01-10 14:18 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2005-01-24 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 94208]
"TP4EX"="tp4ex.exe" [2004-11-12 40960]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-01-21 135168]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-24 281768]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-18 73360]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-07-01 273544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\1 Sarah\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 16:51 108636 ------w- c:\program files\IBM fingerprint software\psfus.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ------w- c:\windows\system32\QConGina.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [15/08/2005 20:07 14208]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/04/2010 21:31 136360]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [03/11/2011 15:44 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [03/11/2011 15:44 497280]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [12/08/2011 18:13 87040]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [24/12/2010 21:20 27632]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [15/08/2005 20:07 6016]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [15/02/2012 14:30 158856]
S3 APL531;Hercules Dualpix HD Webcam;c:\windows\system32\drivers\HDvidv.sys [24/09/2011 21:22 285952]
S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [24/09/2011 21:22 103720]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [24/12/2009 21:59 13224]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [13/11/2007 16:50 106624]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [09/10/2007 13:53 59648]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [30/12/2011 14:27 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 19:01 21248]
S3 iadusb;MT882;c:\windows\system32\DRIVERS\glauiad.sys --> c:\windows\system32\DRIVERS\glauiad.sys [?]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [15/08/2005 20:27 12288]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [26/01/2011 18:00 235648]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [04/05/2011 21:16 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [04/05/2011 21:16 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [04/05/2011 21:16 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [04/05/2011 21:16 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [04/05/2011 21:16 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [04/05/2011 21:16 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [04/05/2011 21:16 109736]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [31/12/2009 14:28 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 14:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 14:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [31/12/2009 14:28 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 14:54 98568]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [23/09/2010 12:09 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [23/09/2010 12:09 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [23/09/2010 12:09 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [23/09/2010 12:09 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [23/09/2010 12:09 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [23/09/2010 12:09 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [23/09/2010 12:09 110120]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [04/05/2011 20:24 155344]
S4 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [02/04/2009 16:52 543744]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/10/2009 08:42 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [19/10/2009 08:42 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-04-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-08-15 08:00]
.
2012-04-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3694052557-2359500833-1512941615-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2012-03-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3694052557-2359500833-1512941615-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.saynoto0870.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2516768&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.saynoto0870.com/numbersearch.php
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-UC_Start - c:\program files\IBM\Updater\\ucstartup.exe
AddRemove-eBay Icon - c:\documents and settings\1 Sarah\Application Data\Desktopicon\uninst.exe
AddRemove-{27310A4F-6A97-43C0-928C-FE5313B9949B} - c:\documents and settings\All Users\Application Data\{5BD198FE-6337-4D45-AAF8-F81D83B87D05}\FFOv2011-8_Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 09:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(768)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(4056)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\System32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
.
**************************************************************************
.
Completion time: 2012-04-02 10:25:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-02 09:25
.
Pre-Run: 1,439,768,576 bytes free
Post-Run: 1,326,112,768 bytes free
.
- - End Of File - - 624A43909A18EB03BE1736D6FBC8BA6C
 
what I did was copy/paste the command into run and an extra space at the end (I had the middle one in before) came up and it ran!! phew!!

after log came up I opened firefox and got this msg: firefox is not currentl set as your default browser...

It has been set for years, so I wonder how it got unset during or after running combofix - is this normal?

do you still want screen print of docs and settings?
 
Hello ecosarah

Great job with Combofix :crowned:

is this normal?
Click to expand...
Yes. You can select firefox as your default browser once we are done.

do you still want screen print of docs and settings?
Click to expand...
Yes please, along with the following:

Do you recognise the following file: c:\program files\PA082.exe ?


  1. Please scan the following files


    • On the page you'll find a "Choose File" button.
    • Click on the Choose File button.
    • In the File Upload window which opens, copy and paste this into the File Name box.


    c:\program files\PA082.exe

    • Next, click the Open button.
    • Then click the "Send File" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.

    Post the link to the Virus total results page in your next reply along with the link to the documents and settings screenshot.
 
Status
Not open for further replies.
Back
Top