Unknown Virus

View previous topic View next topic Go down

Unknown Virus

Post by illegit on 28th December 2009, 7:14 pm

Hello,
Recently a family member notified me about a virus on their computer and asked me to help. The problem is whenever i boot up my computer it would reach the login screen, I would input the password and then it would load up one window folder but the background is black. I need to use task manager to run a new task and in the "run" box i need to put "explorer" in order to load up my desktop. However, after that everything else runs fine (from what I'm told). All the programs work and the computer runs smoothly. I just downloaded MBAM and tried updating but got an error and instead im just running the quick scan and will accompany this post with the logs later.

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

12/28/2009 11:13:52 AM
mbam-log-2009-12-28 (11-13-52).txt

Scan type: Quick Scan
Objects scanned: 100463
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Windows\essledv.exe (Spyware.Passwords) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe ahwa.ulo xgkfbr) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.hȋdden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\essledv.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\ahwa.ulo (Backdoor.Bot) -> Quarantined and deleted successfully.

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by illegit on 28th December 2009, 7:28 pm

After i ran MBAM and restarted my computer as i was prompted to do my computer booted up correctly after the login screen. and here is the Hijack Log after i did a scan.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:24 AM, on 12/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Xobni\Skype4Com.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 6772 bytes

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on 28th December 2009, 7:44 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by illegit on 28th December 2009, 8:25 pm

I only recieved one long log :

DDS (Ver_09-12-01.01) - NTFSx86
Run by Eric at 12:23:40.30 on Mon 12/28/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2012.812 [GMT -8:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k nȯne
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Heroes of Newerth\hon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Eric\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\xobni\Skype4COM.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\eric\appdata\roaming\mozilla\firefox\profiles\xcqc4kti.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\eric\appdata\local\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-12-6 81920]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-24 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-24 234888]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-2-19 27648]
R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-5-6 46824]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-12-6 112128]
S2 kysedsifo;hzfrfwiv;c:\windows\system32\svchost.exe -k netsvcs [2008-1-20 21504]

=============== Created Last 30 ================

2009-12-28 19:27:14 0 d-----w- c:\program files\Trend Micro
2009-12-28 19:15:04 4096 ----a-w- c:\windows\system32\05B1B.tmp
2009-12-28 19:09:01 0 d-----w- c:\users\eric\appdata\roaming\Malwarebytes
2009-12-28 19:08:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 19:08:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 19:08:57 0 d-----w- c:\programdata\Malwarebytes
2009-12-28 19:08:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 19:04:11 4096 ----a-w- c:\windows\system32\05B0A.tmp
2009-12-28 17:16:19 4096 ----a-w- c:\windows\system32\05994.tmp
2009-12-28 17:00:06 4096 ----a-w- c:\windows\system32\07898.tmp
2009-12-28 16:51:28 4096 ----a-w- c:\windows\system32\07ABA.tmp
2009-12-28 05:34:55 4096 ----a-w- c:\windows\system32\09CBB.tmp
2009-12-21 00:00:12 4096 ----a-w- c:\windows\system32\09C2F.tmp
2009-12-17 16:48:08 4096 ----a-w- c:\windows\system32\0A13D.tmp
2009-12-15 05:55:29 4096 ----a-w- c:\windows\system32\09F4A.tmp
2009-12-14 02:32:48 0 d-----w- c:\users\eric\appdata\roaming\mIRC
2009-12-14 02:32:48 0 d-----w- c:\program files\mIRC
2009-12-11 06:36:22 4096 ----a-w- c:\windows\system32\099CE.tmp
2009-12-09 08:26:32 4096 ----a-w- c:\windows\system32\06A6D.tmp
2009-12-08 11:24:19 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-08 11:06:47 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-12-08 11:06:47 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-12-08 11:06:47 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-12-08 11:06:47 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2009-12-08 11:06:47 11264 ----a-w- c:\windows\system32\icardres.dll
2009-12-08 11:06:47 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-12-08 11:06:46 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-12-08 11:06:45 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-12-08 11:02:42 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-12-08 11:02:40 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-12-08 11:02:40 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-12-08 11:02:35 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-12-08 11:02:33 83968 ----a-w- c:\windows\system32\mscories.dll
2009-12-08 03:50:38 0 d-----w- c:\program files\Ventrilo
2009-12-08 03:50:37 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-12-08 03:49:58 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-07 17:11:18 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-12-07 17:11:16 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-12-07 17:11:09 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
2009-12-07 16:49:53 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-12-07 16:49:52 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-12-07 16:49:47 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-07 16:49:46 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-12-07 16:49:46 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-12-07 16:49:46 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-12-07 16:49:46 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-12-07 16:49:46 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-12-07 16:49:46 17920 ----a-w- c:\windows\system32\netevent.dll
2009-12-07 16:49:46 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-12-07 16:49:46 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-12-07 16:49:46 10240 ----a-w- c:\windows\system32\finger.exe
2009-12-07 16:47:10 71680 ----a-w- c:\windows\system32\atl.dll
2009-12-07 16:47:08 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-12-07 16:47:04 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 16:47:04 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-07 16:46:35 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-12-07 16:46:35 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-12-07 16:46:30 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-07 16:46:22 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-12-07 16:46:18 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-12-07 16:46:15 269312 ----a-w- c:\windows\system32\es.dll
2009-12-07 16:46:12 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-12-07 16:46:10 1191936 ----a-w- c:\windows\system32\msxml3.dll
2009-12-07 16:46:07 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-12-07 16:44:45 615424 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-12-07 16:43:58 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-12-07 16:42:41 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-12-07 16:42:41 94720 ----a-w- c:\windows\system32\logagent.exe
2009-12-07 16:42:29 90112 ----a-w- c:\windows\system32\wshext.dll
2009-12-07 16:42:29 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-12-07 16:42:29 155648 ----a-w- c:\windows\system32\wscript.exe
2009-12-07 16:42:29 135168 ----a-w- c:\windows\system32\wshom.ocx
2009-12-07 16:42:28 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-12-07 16:42:28 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-12-07 16:42:28 135168 ----a-w- c:\windows\system32\cscript.exe
2009-12-06 21:56:22 20 --sh--w- c:\users\eric\ntuser.ini
2009-12-06 21:37:40 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-06 21:23:43 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-12-06 21:23:40 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-12-06 21:23:37 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-12-06 21:23:37 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-12-06 21:21:00 0 d-----w- c:\windows\system32\RTCOM
2009-12-06 21:12:59 87040 ----a-w- c:\windows\system32\AERTARen.dll
2009-12-06 21:11:34 0 d-----w- c:\windows\system32\OEM
2009-12-06 21:11:33 22 ---ha-r- c:\windows\dell_version
2009-12-06 21:05:36 0 d--h--w- C:\$WINDOWS.~Q
2009-12-06 21:03:20 0 d--h--w- C:\$INPLACE.~TR
2009-12-06 20:59:50 8192 --s-a-r- C:\BOOTSECT.BAK
2009-12-06 20:38:08 1887 ----a-w- c:\windows\diagwrn.xml
2009-12-06 20:38:08 1887 ----a-w- c:\windows\diagerr.xml
2009-12-06 02:29:21 4096 ----a-w- c:\windows\system32\0FC86.tmp
2009-12-05 01:50:12 4096 ----a-w- c:\windows\system32\0CA80.tmp
2009-12-02 16:21:37 65536 ----a-w- c:\windows\IFinst27.exe
2009-12-02 02:37:46 4096 ----a-w- c:\windows\system32\08E0C.tmp
2009-11-30 18:45:28 4096 ----a-w- c:\windows\system32\09EDD.tmp
2009-11-30 16:17:16 4096 ----a-w- c:\windows\system32\0AB2C.tmp
2009-11-30 16:14:10 4096 ----a-w- c:\windows\system32\087AB.tmp
2009-11-30 11:15:38 0 ----a-w- c:\users\eric\.recently-used.xbel.7WZ43U
2009-11-30 07:20:01 4096 ----a-w- c:\windows\system32\09D19.tmp
2009-11-30 04:16:33 4096 ----a-w- c:\windows\system32\06AA9.tmp
2009-11-29 03:22:39 4096 ----a-w- c:\windows\system32\0778F.tmp
2009-11-29 02:25:21 4096 ----a-w- c:\windows\system32\0C122.tmp

==================== Find3M ====================

2009-12-08 11:46:27 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-08 11:46:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-08 11:46:27 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-08 11:46:27 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-28 01:30:52 4096 ----a-w- c:\windows\system32\07DE5.tmp
2009-11-26 06:10:17 4096 ----a-w- c:\windows\system32\08EC7.tmp
2009-11-24 07:24:47 4096 ----a-w- c:\windows\system32\0A266.tmp
2009-11-23 01:04:20 4096 ----a-w- c:\windows\system32\0CF3F.tmp
2009-11-21 04:56:23 4096 ----a-w- c:\windows\system32\0821A.tmp
2009-11-20 19:14:37 4096 ----a-w- c:\windows\system32\0F085.tmp
2009-11-20 01:31:02 4096 ----a-w- c:\windows\system32\0B309.tmp
2009-11-19 22:19:59 4096 ----a-w- c:\windows\system32\022EA.tmp
2009-11-19 03:57:18 4096 ----a-w- c:\windows\system32\0BB34.tmp
2009-11-18 01:46:51 4096 ----a-w- c:\windows\system32\097FA.tmp
2009-11-17 03:08:24 4096 ----a-w- c:\windows\system32\09CAB.tmp
2009-11-16 03:30:39 4096 ----a-w- c:\windows\system32\08F82.tmp
2009-11-14 04:44:56 4096 ----a-w- c:\windows\system32\05B1A.tmp
2009-11-13 04:14:55 4096 ----a-w- c:\windows\system32\07CDD.tmp
2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-02-13 08:49:05 161768 --sha-r- c:\windows\system32\ehohhje.dll
2009-02-19 18:32:32 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 12:24:27.10 ===============

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by illegit on 28th December 2009, 8:26 pm

nevermind, here is the second log :


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume3
Install Date: 12/6/2009 1:44:09 PM
System Uptime: 12/28/2009 11:14:41 AM (1 hours ago)

Motherboard: Dell Inc. | | 0P301D
Processor: Pentium(R) Dual-Core CPU E5200 @ 2.50GHz | Socket 775 | 2495/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 218 GiB total, 103.563 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 10.085 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
Bonjour
Business Tools Launcher
Choice Guard
Combined Community Codec Pack 2008-09-21 16:18
Counter-Strike
Dell Getting Started Guide
Dell Support Center
Deluge 1.2.0_rc3
DFOLauncher
EDocs
EternityRO
EZGet
Full Tilt Poker
GTK+ Runtime 2.14.6 rev a (remove only)
GTK2-Runtime
Heroes of Newerth
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Matrix Storage Manager
iTunes
Java(TM) 6 Update 7
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.5.6)
MSVCRT
Pando Media Booster
Personal Entertainment Launcher
Pidgin
PowerDVD
Product Support Launcher
QuickTime
Ragnarok Online
Ragnarok Renewal
Realtek Ethernet Network Card Diagnostic tool for Windows Vista
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Sonic CinePlayer Decoder Pack
Starcraft
Steam
Team Fortress 2
TuneUp Companion 1.5.9
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Ventrilo Client
Visual C++ 8.0 ATL (x86) WinSXS MSM
Visual C++ 8.0 CRT (x86) WinSXS MSM
VLC media player 1.0.2
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinRAR archiver
Xobni
Xobni Core
Xvid 1.2.2 final uninstall
Yahoo! BrowserPlus

==== End Of File ===========================

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on 28th December 2009, 10:02 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by illegit on 29th December 2009, 5:26 pm

ComboFix 09-12-28.06 - Eric 12/29/2009 9:12.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2012.1094 [GMT -8:00]
Running from: c:\users\Eric\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 17:16 . 2009-12-29 17:16 -------- d-----w- c:\users\Eric\AppData\Local\temp
2009-12-28 19:27 . 2009-12-28 19:27 -------- d-----w- c:\program files\Trend Micro
2009-12-28 19:09 . 2009-12-28 19:09 -------- d-----w- c:\users\Eric\AppData\Roaming\Malwarebytes
2009-12-28 19:08 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 19:08 . 2009-12-28 19:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 19:08 . 2009-12-28 19:08 -------- d-----w- c:\programdata\Malwarebytes
2009-12-28 19:08 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 02:39 . 2009-12-17 02:39 2157 ----a-w- c:\users\Eric\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-12-14 02:32 . 2009-12-14 06:49 -------- d-----w- c:\users\Eric\AppData\Roaming\mIRC
2009-12-14 02:32 . 2009-12-14 02:32 -------- d-----w- c:\program files\mIRC
2009-12-08 11:24 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-08 11:06 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-12-08 11:06 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-12-08 11:06 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-12-08 11:06 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-12-08 11:06 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-12-08 11:06 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-12-08 11:06 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-12-08 11:02 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-12-08 11:02 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-12-08 11:02 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-12-08 11:02 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-12-08 11:02 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-12-08 03:50 . 2009-12-08 03:50 -------- d-----w- c:\program files\Ventrilo
2009-12-08 03:49 . 2009-12-08 03:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-07 17:11 . 2008-06-26 01:45 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-12-07 17:11 . 2008-06-26 01:45 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-12-07 17:11 . 2008-06-26 03:29 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
2009-12-07 16:49 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-12-07 16:49 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-12-07 16:49 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-07 16:49 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-12-07 16:49 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-12-07 16:49 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-12-07 16:49 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-12-07 16:49 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-12-07 16:49 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-12-07 16:49 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-12-07 16:49 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-12-07 16:49 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-12-07 16:47 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-12-07 16:47 . 2008-10-21 05:25 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-12-07 16:47 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 16:47 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-07 16:46 . 2008-06-06 03:27 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-12-07 16:46 . 2008-06-06 03:27 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-12-07 16:46 . 2008-08-27 01:05 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-07 16:46 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-12-07 16:46 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-12-07 16:46 . 2008-04-18 05:48 269312 ----a-w- c:\windows\system32\es.dll
2009-12-07 16:46 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-12-07 16:46 . 2008-09-05 05:14 1191936 ----a-w- c:\windows\system32\msxml3.dll
2009-12-07 16:44 . 2009-03-03 04:40 499200 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-12-07 16:43 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-12-07 16:42 . 2008-06-23 01:59 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-12-07 16:42 . 2008-06-23 01:58 94720 ----a-w- c:\windows\system32\logagent.exe
2009-12-07 16:42 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2009-12-07 16:42 . 2008-05-08 21:59 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-12-07 16:42 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2009-12-07 16:42 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-12-07 16:42 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-12-07 16:42 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2009-12-06 22:05 . 2009-12-06 22:05 78440 ----a-w- c:\users\Eric\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-06 21:51 . 2009-12-10 00:33 -------- d-----w- c:\windows\Debug
2009-12-06 21:37 . 2009-12-06 21:37 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-06 21:33 . 2009-12-06 21:33 -------- d-----w- c:\users\Default\video
2009-12-06 21:23 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-12-06 21:23 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-12-06 21:23 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-12-06 21:23 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-12-06 21:23 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-12-06 21:23 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-12-06 21:23 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-12-06 21:23 . 2009-08-07 03:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-12-06 21:23 . 2009-08-07 02:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-12-06 21:21 . 2009-12-06 21:21 -------- d-----w- c:\windows\system32\RTCOM
2009-12-06 21:12 . 2008-08-19 06:19 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2009-12-06 21:11 . 2009-12-06 21:11 -------- d-----w- c:\windows\system32\OEM
2009-12-06 21:05 . 2009-12-06 21:05 -------- d-----w- C:\$WINDOWS.~Q
2009-12-06 21:03 . 2009-12-06 21:03 -------- d-----w- C:\$INPLACE.~TR
2009-12-06 20:41 . 2009-12-06 20:41 -------- d-----w- c:\windows\system32\Spool\prtprocs\w32x86\1
2009-12-02 16:21 . 2009-12-03 07:52 65536 ----a-w- c:\windows\IFinst27.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 17:10 . 2009-03-15 05:46 -------- d-----w- c:\program files\Steam
2009-12-29 17:10 . 2009-12-29 17:10 4096 ----a-w- c:\windows\system32\05EC2.tmp
2009-12-29 17:08 . 2009-03-06 02:25 -------- d-----w- c:\users\Eric\AppData\Roaming\.purple
2009-12-29 16:47 . 2009-10-19 03:59 -------- d-----w- c:\users\Eric\AppData\Roaming\vlc
2009-12-28 19:15 . 2009-12-28 19:15 4096 ----a-w- c:\windows\system32\05B1B.tmp
2009-12-28 19:04 . 2009-12-28 19:04 4096 ----a-w- c:\windows\system32\05B0A.tmp
2009-12-28 17:16 . 2009-12-28 17:16 4096 ----a-w- c:\windows\system32\05994.tmp
2009-12-28 17:00 . 2009-12-28 17:00 4096 ----a-w- c:\windows\system32\07898.tmp
2009-12-28 16:51 . 2009-12-28 16:51 4096 ----a-w- c:\windows\system32\07ABA.tmp
2009-12-28 05:34 . 2009-12-28 05:34 4096 ----a-w- c:\windows\system32\09CBB.tmp
2009-12-21 00:00 . 2009-12-21 00:00 4096 ----a-w- c:\windows\system32\09C2F.tmp
2009-12-18 21:55 . 2009-10-25 20:28 -------- d-----w- c:\program files\Heroes of Newerth
2009-12-17 16:48 . 2009-12-17 16:48 4096 ----a-w- c:\windows\system32\0A13D.tmp
2009-12-15 05:55 . 2009-12-15 05:55 4096 ----a-w- c:\windows\system32\09F4A.tmp
2009-12-14 08:43 . 2009-03-16 03:27 -------- d-----w- c:\users\Eric\AppData\Roaming\Ventrilo
2009-12-11 06:36 . 2009-12-11 06:36 4096 ----a-w- c:\windows\system32\099CE.tmp
2009-12-09 08:26 . 2009-12-09 08:26 4096 ----a-w- c:\windows\system32\06A6D.tmp
2009-12-08 11:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-08 11:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-06 21:32 . 2009-11-09 16:39 -------- d-----w- c:\users\Eric\AppData\Roaming\NeopleLauncherDFO
2009-12-06 21:32 . 2009-09-22 04:03 -------- d-----w- c:\users\Eric\AppData\Roaming\TuneUpMedia
2009-12-06 21:32 . 2009-10-08 02:44 -------- d-----w- c:\users\Eric\AppData\Roaming\Media Player Classic
2009-12-06 21:32 . 2009-11-24 07:32 -------- d-----w- c:\users\Eric\AppData\Roaming\deluge
2009-12-06 21:32 . 2009-11-12 07:05 -------- d-----w- c:\users\Eric\AppData\Roaming\dvdcss
2009-12-06 21:32 . 2009-03-06 02:26 -------- d-----w- c:\users\Eric\AppData\Roaming\gtk-2.0
2009-12-06 21:32 . 2009-08-25 03:07 -------- d-----w- c:\users\Eric\AppData\Roaming\Azureus
2009-12-06 21:32 . 2009-08-22 07:34 -------- d-----w- c:\users\Eric\AppData\Roaming\CyberLink
2009-12-06 21:32 . 2009-08-20 04:18 -------- d-----w- c:\users\Eric\AppData\Roaming\Apple Computer
2009-12-06 21:27 . 2009-09-22 04:03 -------- d-----w- c:\programdata\TuneUpMedia
2009-12-06 21:27 . 2009-08-20 04:18 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-12-06 21:27 . 2009-11-09 16:09 -------- d-----w- c:\programdata\NexonUS
2009-12-06 21:27 . 2009-11-09 08:11 -------- d-----w- c:\programdata\PMB Files
2009-12-06 21:27 . 2009-02-19 17:01 -------- d-----w- c:\programdata\SupportSoft
2009-12-06 21:27 . 2009-02-19 17:00 -------- d-----w- c:\programdata\Sonic
2009-12-06 21:25 . 2009-11-09 08:09 -------- d-----w- c:\program files\Pando Networks
2009-12-06 21:24 . 2009-10-20 05:05 -------- d-----w- c:\program files\EZGet
2009-12-06 02:29 . 2009-12-06 02:29 4096 ----a-w- c:\windows\system32\0FC86.tmp
2009-12-05 01:50 . 2009-12-05 01:50 4096 ----a-w- c:\windows\system32\0CA80.tmp
2009-12-02 02:37 . 2009-12-02 02:37 4096 ----a-w- c:\windows\system32\08E0C.tmp
2009-11-30 18:45 . 2009-11-30 18:45 4096 ----a-w- c:\windows\system32\09EDD.tmp
2009-11-30 16:17 . 2009-11-30 16:17 4096 ----a-w- c:\windows\system32\0AB2C.tmp
2009-11-30 16:14 . 2009-11-30 16:14 4096 ----a-w- c:\windows\system32\087AB.tmp
2009-11-30 07:20 . 2009-11-30 07:20 4096 ----a-w- c:\windows\system32\09D19.tmp
2009-11-30 04:16 . 2009-11-30 04:16 4096 ----a-w- c:\windows\system32\06AA9.tmp
2009-11-29 03:22 . 2009-11-29 03:22 4096 ----a-w- c:\windows\system32\0778F.tmp
2009-11-29 02:25 . 2009-11-29 02:25 4096 ----a-w- c:\windows\system32\0C122.tmp
2009-11-28 01:30 . 2009-11-28 01:30 4096 ----a-w- c:\windows\system32\07DE5.tmp
2009-11-26 06:10 . 2009-11-26 06:10 4096 ----a-w- c:\windows\system32\08EC7.tmp
2009-11-24 07:24 . 2009-11-24 07:24 4096 ----a-w- c:\windows\system32\0A266.tmp
2009-11-23 01:04 . 2009-11-23 01:04 4096 ----a-w- c:\windows\system32\0CF3F.tmp
2009-11-21 04:56 . 2009-11-21 04:56 4096 ----a-w- c:\windows\system32\0821A.tmp
2009-11-20 19:14 . 2009-11-20 19:14 4096 ----a-w- c:\windows\system32\0F085.tmp
2009-11-20 01:31 . 2009-11-20 01:31 4096 ----a-w- c:\windows\system32\0B309.tmp
2009-11-19 22:19 . 2009-11-19 22:19 4096 ----a-w- c:\windows\system32\022EA.tmp
2009-11-19 03:57 . 2009-11-19 03:57 4096 ----a-w- c:\windows\system32\0BB34.tmp
2009-11-18 01:46 . 2009-11-18 01:46 4096 ----a-w- c:\windows\system32\097FA.tmp
2009-11-17 03:08 . 2009-11-17 03:08 4096 ----a-w- c:\windows\system32\09CAB.tmp
2009-11-16 03:30 . 2009-11-16 03:30 4096 ----a-w- c:\windows\system32\08F82.tmp
2009-11-14 04:44 . 2009-11-14 04:44 4096 ----a-w- c:\windows\system32\05B1A.tmp
2009-11-13 04:14 . 2009-11-13 04:14 4096 ----a-w- c:\windows\system32\07CDD.tmp
2009-11-09 16:09 . 2009-11-09 16:09 90112 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2009-11-09 16:09 . 2009-11-09 16:09 561152 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2009-11-09 16:09 . 2009-11-09 16:09 393216 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2009-11-09 16:09 . 2009-11-09 16:09 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2009-11-09 16:09 . 2009-11-09 16:09 167936 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2009-11-09 16:09 . 2009-11-09 16:09 118784 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2009-11-03 04:42 . 2009-10-03 17:24 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-17 13:41 . 2009-09-22 04:00 174 ----a-w- c:\users\Eric\AppData\Roaming\Azureus\restart.bat
2009-10-02 00:25 . 2009-10-02 00:25 10686001 ----a-w- c:\users\Eric\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2009-02-13 08:49 . 2009-12-07 16:44 161768 --sha-r- c:\windows\System32\ehohhje.dll
2009-02-19 18:32 . 2009-02-19 18:29 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 19:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-11-09 2923192]
"Steam"="c:\program files\steam\steam.exe" [2009-10-25 1217808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-26 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-26 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-26 154136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/6/2009 1:12 PM 81920]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/24/2009 7:07 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [8/24/2009 7:07 PM 234888]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [2/19/2009 8:58 AM 27648]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [5/6/2009 5:21 PM 46824]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [12/6/2009 1:13 PM 112128]
S2 kysedsifo;hzfrfwiv;c:\windows\system32\svchost.exe -k netsvcs [1/20/2008 6:33 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
kysedsifo
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\xcqc4kti.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\Eric\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-29 09:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kysedsifo]
"ServiceDll"="c:\windows\system32\ehohhje.dll"
.
Completion time: 2009-12-29 09:17:52
ComboFix-quarantined-files.txt 2009-12-29 17:17

Pre-Run: 106,609,393,664 bytes free
Post-Run: 106,621,947,904 bytes free

- - End Of File - - 4029ECBFC0ED7D8C7F7EF9677971F2ED

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on 29th December 2009, 5:50 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    Driver::
    kysedsifo

    File::
    c:\windows\system32\ehohhje.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kysedsifo]

    NetSvc::
    kysedsifo
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by illegit on 29th December 2009, 6:58 pm

ComboFix 09-12-28.06 - Eric 12/29/2009 10:43:10.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2012.1162 [GMT -8:00]
Running from: c:\users\Eric\Desktop\ComboFix.exe
Command switches used :: c:\users\Eric\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\ehohhje.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ehohhje.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kysedsifo


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 18:46 . 2009-12-29 18:47 -------- d-----w- c:\users\Eric\AppData\Local\temp
2009-12-29 18:46 . 2009-12-29 18:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-29 18:46 . 2009-12-29 18:46 -------- d-----w- c:\users\McAfeeMVSUser\AppData\Local\temp
2009-12-28 19:27 . 2009-12-28 19:27 -------- d-----w- c:\program files\Trend Micro
2009-12-28 19:09 . 2009-12-28 19:09 -------- d-----w- c:\users\Eric\AppData\Roaming\Malwarebytes
2009-12-28 19:08 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 19:08 . 2009-12-28 19:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 19:08 . 2009-12-28 19:08 -------- d-----w- c:\programdata\Malwarebytes
2009-12-28 19:08 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 02:39 . 2009-12-17 02:39 2157 ----a-w- c:\users\Eric\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-12-14 02:32 . 2009-12-14 06:49 -------- d-----w- c:\users\Eric\AppData\Roaming\mIRC
2009-12-14 02:32 . 2009-12-14 02:32 -------- d-----w- c:\program files\mIRC
2009-12-08 11:24 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-08 11:06 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-12-08 11:06 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-12-08 11:06 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-12-08 11:06 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-12-08 11:06 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-12-08 11:06 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-12-08 11:06 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-12-08 11:02 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-12-08 11:02 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-12-08 11:02 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-12-08 11:02 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-12-08 11:02 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-12-08 03:50 . 2009-12-08 03:50 -------- d-----w- c:\program files\Ventrilo
2009-12-08 03:49 . 2009-12-08 03:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-07 17:11 . 2008-06-26 01:45 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-12-07 17:11 . 2008-06-26 01:45 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-12-07 17:11 . 2008-06-26 03:29 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
2009-12-07 16:49 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-12-07 16:49 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-12-07 16:49 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-07 16:49 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-12-07 16:49 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-12-07 16:49 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-12-07 16:49 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-12-07 16:49 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-12-07 16:49 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-12-07 16:49 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-12-07 16:49 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-12-07 16:49 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-12-07 16:47 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-12-07 16:47 . 2008-10-21 05:25 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-12-07 16:47 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 16:47 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-07 16:46 . 2008-06-06 03:27 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-12-07 16:46 . 2008-06-06 03:27 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-12-07 16:46 . 2008-08-27 01:05 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-07 16:46 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-12-07 16:46 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-12-07 16:46 . 2008-04-18 05:48 269312 ----a-w- c:\windows\system32\es.dll
2009-12-07 16:46 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-12-07 16:46 . 2008-09-05 05:14 1191936 ----a-w- c:\windows\system32\msxml3.dll
2009-12-07 16:44 . 2009-03-03 04:40 499200 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-12-07 16:43 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-12-07 16:42 . 2008-06-23 01:59 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-12-07 16:42 . 2008-06-23 01:58 94720 ----a-w- c:\windows\system32\logagent.exe
2009-12-07 16:42 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2009-12-07 16:42 . 2008-05-08 21:59 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-12-07 16:42 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2009-12-07 16:42 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-12-07 16:42 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-12-07 16:42 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2009-12-06 22:05 . 2009-12-06 22:05 78440 ----a-w- c:\users\Eric\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-06 21:51 . 2009-12-10 00:33 -------- d-----w- c:\windows\Debug
2009-12-06 21:37 . 2009-12-06 21:37 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-06 21:33 . 2009-12-06 21:33 -------- d-----w- c:\users\Default\video
2009-12-06 21:23 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-12-06 21:23 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-12-06 21:23 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-12-06 21:23 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-12-06 21:23 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-12-06 21:23 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-12-06 21:23 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-12-06 21:23 . 2009-08-07 03:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-12-06 21:23 . 2009-08-07 02:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-12-06 21:21 . 2009-12-06 21:21 -------- d-----w- c:\windows\system32\RTCOM
2009-12-06 21:12 . 2008-08-19 06:19 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2009-12-06 21:11 . 2009-12-06 21:11 -------- d-----w- c:\windows\system32\OEM
2009-12-06 21:05 . 2009-12-06 21:05 -------- d-----w- C:\$WINDOWS.~Q
2009-12-06 21:03 . 2009-12-06 21:03 -------- d-----w- C:\$INPLACE.~TR
2009-12-06 20:41 . 2009-12-06 20:41 -------- d-----w- c:\windows\system32\Spool\prtprocs\w32x86\1
2009-12-02 16:21 . 2009-12-03 07:52 65536 ----a-w- c:\windows\IFinst27.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 18:48 . 2009-03-15 05:46 -------- d-----w- c:\program files\Steam
2009-12-29 18:42 . 2009-03-06 02:25 -------- d-----w- c:\users\Eric\AppData\Roaming\.purple
2009-12-29 17:10 . 2009-12-29 17:10 4096 ----a-w- c:\windows\system32\05EC2.tmp
2009-12-29 16:47 . 2009-10-19 03:59 -------- d-----w- c:\users\Eric\AppData\Roaming\vlc
2009-12-28 19:15 . 2009-12-28 19:15 4096 ----a-w- c:\windows\system32\05B1B.tmp
2009-12-28 19:04 . 2009-12-28 19:04 4096 ----a-w- c:\windows\system32\05B0A.tmp
2009-12-28 17:16 . 2009-12-28 17:16 4096 ----a-w- c:\windows\system32\05994.tmp
2009-12-28 17:00 . 2009-12-28 17:00 4096 ----a-w- c:\windows\system32\07898.tmp
2009-12-28 16:51 . 2009-12-28 16:51 4096 ----a-w- c:\windows\system32\07ABA.tmp
2009-12-28 05:34 . 2009-12-28 05:34 4096 ----a-w- c:\windows\system32\09CBB.tmp
2009-12-21 00:00 . 2009-12-21 00:00 4096 ----a-w- c:\windows\system32\09C2F.tmp
2009-12-18 21:55 . 2009-10-25 20:28 -------- d-----w- c:\program files\Heroes of Newerth
2009-12-17 16:48 . 2009-12-17 16:48 4096 ----a-w- c:\windows\system32\0A13D.tmp
2009-12-15 05:55 . 2009-12-15 05:55 4096 ----a-w- c:\windows\system32\09F4A.tmp
2009-12-14 08:43 . 2009-03-16 03:27 -------- d-----w- c:\users\Eric\AppData\Roaming\Ventrilo
2009-12-11 06:36 . 2009-12-11 06:36 4096 ----a-w- c:\windows\system32\099CE.tmp
2009-12-09 08:26 . 2009-12-09 08:26 4096 ----a-w- c:\windows\system32\06A6D.tmp
2009-12-08 11:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-08 11:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-06 21:32 . 2009-11-09 16:39 -------- d-----w- c:\users\Eric\AppData\Roaming\NeopleLauncherDFO
2009-12-06 21:32 . 2009-09-22 04:03 -------- d-----w- c:\users\Eric\AppData\Roaming\TuneUpMedia
2009-12-06 21:32 . 2009-10-08 02:44 -------- d-----w- c:\users\Eric\AppData\Roaming\Media Player Classic
2009-12-06 21:32 . 2009-11-24 07:32 -------- d-----w- c:\users\Eric\AppData\Roaming\deluge
2009-12-06 21:32 . 2009-11-12 07:05 -------- d-----w- c:\users\Eric\AppData\Roaming\dvdcss
2009-12-06 21:32 . 2009-03-06 02:26 -------- d-----w- c:\users\Eric\AppData\Roaming\gtk-2.0
2009-12-06 21:32 . 2009-08-25 03:07 -------- d-----w- c:\users\Eric\AppData\Roaming\Azureus
2009-12-06 21:32 . 2009-08-22 07:34 -------- d-----w- c:\users\Eric\AppData\Roaming\CyberLink
2009-12-06 21:32 . 2009-08-20 04:18 -------- d-----w- c:\users\Eric\AppData\Roaming\Apple Computer
2009-12-06 21:27 . 2009-09-22 04:03 -------- d-----w- c:\programdata\TuneUpMedia
2009-12-06 21:27 . 2009-08-20 04:18 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-12-06 21:27 . 2009-11-09 16:09 -------- d-----w- c:\programdata\NexonUS
2009-12-06 21:27 . 2009-11-09 08:11 -------- d-----w- c:\programdata\PMB Files
2009-12-06 21:27 . 2009-02-19 17:01 -------- d-----w- c:\programdata\SupportSoft
2009-12-06 21:27 . 2009-02-19 17:00 -------- d-----w- c:\programdata\Sonic
2009-12-06 21:25 . 2009-11-09 08:09 -------- d-----w- c:\program files\Pando Networks
2009-12-06 21:24 . 2009-10-20 05:05 -------- d-----w- c:\program files\EZGet
2009-12-06 02:29 . 2009-12-06 02:29 4096 ----a-w- c:\windows\system32\0FC86.tmp
2009-12-05 01:50 . 2009-12-05 01:50 4096 ----a-w- c:\windows\system32\0CA80.tmp
2009-12-02 02:37 . 2009-12-02 02:37 4096 ----a-w- c:\windows\system32\08E0C.tmp
2009-11-30 18:45 . 2009-11-30 18:45 4096 ----a-w- c:\windows\system32\09EDD.tmp
2009-11-30 16:17 . 2009-11-30 16:17 4096 ----a-w- c:\windows\system32\0AB2C.tmp
2009-11-30 16:14 . 2009-11-30 16:14 4096 ----a-w- c:\windows\system32\087AB.tmp
2009-11-30 07:20 . 2009-11-30 07:20 4096 ----a-w- c:\windows\system32\09D19.tmp
2009-11-30 04:16 . 2009-11-30 04:16 4096 ----a-w- c:\windows\system32\06AA9.tmp
2009-11-29 03:22 . 2009-11-29 03:22 4096 ----a-w- c:\windows\system32\0778F.tmp
2009-11-29 02:25 . 2009-11-29 02:25 4096 ----a-w- c:\windows\system32\0C122.tmp
2009-11-28 01:30 . 2009-11-28 01:30 4096 ----a-w- c:\windows\system32\07DE5.tmp
2009-11-26 06:10 . 2009-11-26 06:10 4096 ----a-w- c:\windows\system32\08EC7.tmp
2009-11-24 07:24 . 2009-11-24 07:24 4096 ----a-w- c:\windows\system32\0A266.tmp
2009-11-23 01:04 . 2009-11-23 01:04 4096 ----a-w- c:\windows\system32\0CF3F.tmp
2009-11-21 04:56 . 2009-11-21 04:56 4096 ----a-w- c:\windows\system32\0821A.tmp
2009-11-20 19:14 . 2009-11-20 19:14 4096 ----a-w- c:\windows\system32\0F085.tmp
2009-11-20 01:31 . 2009-11-20 01:31 4096 ----a-w- c:\windows\system32\0B309.tmp
2009-11-19 22:19 . 2009-11-19 22:19 4096 ----a-w- c:\windows\system32\022EA.tmp
2009-11-19 03:57 . 2009-11-19 03:57 4096 ----a-w- c:\windows\system32\0BB34.tmp
2009-11-18 01:46 . 2009-11-18 01:46 4096 ----a-w- c:\windows\system32\097FA.tmp
2009-11-17 03:08 . 2009-11-17 03:08 4096 ----a-w- c:\windows\system32\09CAB.tmp
2009-11-16 03:30 . 2009-11-16 03:30 4096 ----a-w- c:\windows\system32\08F82.tmp
2009-11-14 04:44 . 2009-11-14 04:44 4096 ----a-w- c:\windows\system32\05B1A.tmp
2009-11-13 04:14 . 2009-11-13 04:14 4096 ----a-w- c:\windows\system32\07CDD.tmp
2009-11-09 16:09 . 2009-11-09 16:09 90112 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2009-11-09 16:09 . 2009-11-09 16:09 561152 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2009-11-09 16:09 . 2009-11-09 16:09 393216 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2009-11-09 16:09 . 2009-11-09 16:09 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2009-11-09 16:09 . 2009-11-09 16:09 167936 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2009-11-09 16:09 . 2009-11-09 16:09 118784 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2009-11-03 04:42 . 2009-10-03 17:24 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-17 13:41 . 2009-09-22 04:00 174 ----a-w- c:\users\Eric\AppData\Roaming\Azureus\restart.bat
2009-10-02 00:25 . 2009-10-02 00:25 10686001 ----a-w- c:\users\Eric\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2009-02-19 18:32 . 2009-02-19 18:29 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-12-06 21:22 . 2009-12-29 17:10 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-06 21:22 . 2009-12-29 18:47 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-06 21:22 . 2009-12-29 17:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-06 21:22 . 2009-12-29 18:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-06 21:22 . 2009-12-29 17:10 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-06 21:22 . 2009-12-29 18:47 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-19 03:32 . 2009-12-29 18:46 2594 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-12-29 18:47 . 2009-12-29 18:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-12-29 17:09 . 2009-12-29 17:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 19:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-11-09 2923192]
"Steam"="c:\program files\steam\steam.exe" [2009-10-25 1217808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-26 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-26 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-26 154136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/6/2009 1:12 PM 81920]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/24/2009 7:07 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [8/24/2009 7:07 PM 234888]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [2/19/2009 8:58 AM 27648]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [5/6/2009 5:21 PM 46824]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [12/6/2009 1:13 PM 112128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\xcqc4kti.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\Eric\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-29 10:48
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-29 10:50:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 18:50
ComboFix2.txt 2009-12-29 17:17

Pre-Run: 106,703,138,816 bytes free
Post-Run: 106,328,350,720 bytes free

- - End Of File - - 2FC3C8C75FC3C7CFA112E175A443D149

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on 29th December 2009, 10:27 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    c:\program files\AskBarDis

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    Driver::
    ASKService
    ASKUpgrade
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by illegit on 29th December 2009, 11:48 pm

ComboFix 09-12-29.04 - Eric 12/29/2009 15:39:24.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2012.1111 [GMT -8:00]
Running from: c:\users\Eric\Desktop\ComboFix.exe
Command switches used :: c:\users\Eric\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\AskService.exe
c:\program files\AskBarDis\bar\bin\AskSplash.exe
c:\program files\AskBarDis\bar\bin\AskTBApp.exe
c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Settings\AskLogo.ico
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ASKService
-------\Service_ASKUpgrade


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 23:42 . 2009-12-29 23:44 -------- d-----w- c:\users\Eric\AppData\Local\temp
2009-12-29 23:42 . 2009-12-29 23:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-29 23:42 . 2009-12-29 23:42 -------- d-----w- c:\users\McAfeeMVSUser\AppData\Local\temp
2009-12-29 23:42 . 2009-12-29 23:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-29 23:38 . 2009-12-29 23:38 -------- d-----w- C:\32788R22FWJFW
2009-12-28 19:27 . 2009-12-28 19:27 -------- d-----w- c:\program files\Trend Micro
2009-12-28 19:09 . 2009-12-28 19:09 -------- d-----w- c:\users\Eric\AppData\Roaming\Malwarebytes
2009-12-28 19:08 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 19:08 . 2009-12-28 19:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 19:08 . 2009-12-28 19:08 -------- d-----w- c:\programdata\Malwarebytes
2009-12-28 19:08 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 02:32 . 2009-12-14 06:49 -------- d-----w- c:\users\Eric\AppData\Roaming\mIRC
2009-12-14 02:32 . 2009-12-14 02:32 -------- d-----w- c:\program files\mIRC
2009-12-08 11:24 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-08 11:06 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-12-08 11:06 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-12-08 11:06 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-12-08 11:06 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-12-08 11:06 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-12-08 11:06 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-12-08 11:06 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-12-08 11:02 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-12-08 11:02 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-12-08 11:02 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-12-08 11:02 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-12-08 11:02 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-12-08 03:50 . 2009-12-08 03:50 -------- d-----w- c:\program files\Ventrilo
2009-12-08 03:49 . 2009-12-08 03:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-07 17:11 . 2008-06-26 01:45 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-12-07 17:11 . 2008-06-26 01:45 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-12-07 17:11 . 2008-06-26 03:29 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
2009-12-07 16:49 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-12-07 16:49 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-12-07 16:49 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-07 16:49 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-12-07 16:49 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-12-07 16:49 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-12-07 16:49 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-12-07 16:49 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-12-07 16:49 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-12-07 16:49 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-12-07 16:49 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-12-07 16:49 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-12-07 16:47 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-12-07 16:47 . 2008-10-21 05:25 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-12-07 16:47 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 16:47 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-07 16:46 . 2008-06-06 03:27 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-12-07 16:46 . 2008-06-06 03:27 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-12-07 16:46 . 2008-08-27 01:05 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-07 16:46 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-12-07 16:46 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-12-07 16:46 . 2008-04-18 05:48 269312 ----a-w- c:\windows\system32\es.dll
2009-12-07 16:46 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-12-07 16:44 . 2009-03-03 04:40 499200 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-12-07 16:43 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-12-07 16:42 . 2008-06-23 01:59 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-12-07 16:42 . 2008-06-23 01:58 94720 ----a-w- c:\windows\system32\logagent.exe
2009-12-07 16:42 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2009-12-07 16:42 . 2008-05-08 21:59 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-12-07 16:42 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2009-12-07 16:42 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-12-07 16:42 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-12-07 16:42 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2009-12-06 22:05 . 2009-12-06 22:05 78440 ----a-w- c:\users\Eric\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-06 21:51 . 2009-12-10 00:33 -------- d-----w- c:\windows\Debug
2009-12-06 21:37 . 2009-12-06 21:37 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-06 21:33 . 2009-12-06 21:33 -------- d-----w- c:\users\Default\video
2009-12-06 21:23 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-12-06 21:23 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-12-06 21:23 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-12-06 21:23 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-12-06 21:23 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-12-06 21:23 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-12-06 21:23 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-12-06 21:23 . 2009-08-07 03:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-12-06 21:23 . 2009-08-07 02:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-12-06 21:21 . 2009-12-06 21:21 -------- d-----w- c:\windows\system32\RTCOM
2009-12-06 21:12 . 2008-08-19 06:19 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2009-12-06 21:11 . 2009-12-06 21:11 -------- d-----w- c:\windows\system32\OEM
2009-12-06 21:05 . 2009-12-06 21:05 -------- d-----w- C:\$WINDOWS.~Q
2009-12-06 21:03 . 2009-12-06 21:03 -------- d-----w- C:\$INPLACE.~TR
2009-12-06 20:41 . 2009-12-06 20:41 -------- d-----w- c:\windows\system32\Spool\prtprocs\w32x86\1
2009-12-02 16:21 . 2009-12-03 07:52 65536 ----a-w- c:\windows\IFinst27.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 23:45 . 2009-03-15 05:46 -------- d-----w- c:\program files\Steam
2009-12-29 23:21 . 2009-03-06 02:25 -------- d-----w- c:\users\Eric\AppData\Roaming\.purple
2009-12-29 17:10 . 2009-12-29 17:10 4096 ----a-w- c:\windows\system32\05EC2.tmp
2009-12-29 16:47 . 2009-10-19 03:59 -------- d-----w- c:\users\Eric\AppData\Roaming\vlc
2009-12-28 19:15 . 2009-12-28 19:15 4096 ----a-w- c:\windows\system32\05B1B.tmp
2009-12-28 19:04 . 2009-12-28 19:04 4096 ----a-w- c:\windows\system32\05B0A.tmp
2009-12-28 17:16 . 2009-12-28 17:16 4096 ----a-w- c:\windows\system32\05994.tmp
2009-12-28 17:00 . 2009-12-28 17:00 4096 ----a-w- c:\windows\system32\07898.tmp
2009-12-28 16:51 . 2009-12-28 16:51 4096 ----a-w- c:\windows\system32\07ABA.tmp
2009-12-28 05:34 . 2009-12-28 05:34 4096 ----a-w- c:\windows\system32\09CBB.tmp
2009-12-21 00:00 . 2009-12-21 00:00 4096 ----a-w- c:\windows\system32\09C2F.tmp
2009-12-18 21:55 . 2009-10-25 20:28 -------- d-----w- c:\program files\Heroes of Newerth
2009-12-17 16:48 . 2009-12-17 16:48 4096 ----a-w- c:\windows\system32\0A13D.tmp
2009-12-17 02:39 . 2009-12-17 02:39 2157 ----a-w- c:\users\Eric\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-12-15 05:55 . 2009-12-15 05:55 4096 ----a-w- c:\windows\system32\09F4A.tmp
2009-12-14 08:43 . 2009-03-16 03:27 -------- d-----w- c:\users\Eric\AppData\Roaming\Ventrilo
2009-12-11 06:36 . 2009-12-11 06:36 4096 ----a-w- c:\windows\system32\099CE.tmp
2009-12-09 08:26 . 2009-12-09 08:26 4096 ----a-w- c:\windows\system32\06A6D.tmp
2009-12-08 11:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-08 11:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-06 21:32 . 2009-11-09 16:39 -------- d-----w- c:\users\Eric\AppData\Roaming\NeopleLauncherDFO
2009-12-06 21:32 . 2009-09-22 04:03 -------- d-----w- c:\users\Eric\AppData\Roaming\TuneUpMedia
2009-12-06 21:32 . 2009-10-08 02:44 -------- d-----w- c:\users\Eric\AppData\Roaming\Media Player Classic
2009-12-06 21:32 . 2009-11-24 07:32 -------- d-----w- c:\users\Eric\AppData\Roaming\deluge
2009-12-06 21:32 . 2009-11-12 07:05 -------- d-----w- c:\users\Eric\AppData\Roaming\dvdcss
2009-12-06 21:32 . 2009-03-06 02:26 -------- d-----w- c:\users\Eric\AppData\Roaming\gtk-2.0
2009-12-06 21:32 . 2009-08-25 03:07 -------- d-----w- c:\users\Eric\AppData\Roaming\Azureus
2009-12-06 21:32 . 2009-08-22 07:34 -------- d-----w- c:\users\Eric\AppData\Roaming\CyberLink
2009-12-06 21:32 . 2009-08-20 04:18 -------- d-----w- c:\users\Eric\AppData\Roaming\Apple Computer
2009-12-06 21:27 . 2009-09-22 04:03 -------- d-----w- c:\programdata\TuneUpMedia
2009-12-06 21:27 . 2009-08-20 04:18 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-12-06 21:27 . 2009-11-09 16:09 -------- d-----w- c:\programdata\NexonUS
2009-12-06 21:27 . 2009-11-09 08:11 -------- d-----w- c:\programdata\PMB Files
2009-12-06 21:27 . 2009-02-19 17:01 -------- d-----w- c:\programdata\SupportSoft
2009-12-06 21:27 . 2009-02-19 17:00 -------- d-----w- c:\programdata\Sonic
2009-12-06 21:25 . 2009-11-09 08:09 -------- d-----w- c:\program files\Pando Networks
2009-12-06 21:24 . 2009-10-20 05:05 -------- d-----w- c:\program files\EZGet
2009-12-06 02:29 . 2009-12-06 02:29 4096 ----a-w- c:\windows\system32\0FC86.tmp
2009-12-05 01:50 . 2009-12-05 01:50 4096 ----a-w- c:\windows\system32\0CA80.tmp
2009-12-02 02:37 . 2009-12-02 02:37 4096 ----a-w- c:\windows\system32\08E0C.tmp
2009-11-30 18:45 . 2009-11-30 18:45 4096 ----a-w- c:\windows\system32\09EDD.tmp
2009-11-30 16:17 . 2009-11-30 16:17 4096 ----a-w- c:\windows\system32\0AB2C.tmp
2009-11-30 16:14 . 2009-11-30 16:14 4096 ----a-w- c:\windows\system32\087AB.tmp
2009-11-30 07:20 . 2009-11-30 07:20 4096 ----a-w- c:\windows\system32\09D19.tmp
2009-11-30 04:16 . 2009-11-30 04:16 4096 ----a-w- c:\windows\system32\06AA9.tmp
2009-11-29 03:22 . 2009-11-29 03:22 4096 ----a-w- c:\windows\system32\0778F.tmp
2009-11-29 02:25 . 2009-11-29 02:25 4096 ----a-w- c:\windows\system32\0C122.tmp
2009-11-28 01:30 . 2009-11-28 01:30 4096 ----a-w- c:\windows\system32\07DE5.tmp
2009-11-26 06:10 . 2009-11-26 06:10 4096 ----a-w- c:\windows\system32\08EC7.tmp
2009-11-24 07:24 . 2009-11-24 07:24 4096 ----a-w- c:\windows\system32\0A266.tmp
2009-11-23 01:04 . 2009-11-23 01:04 4096 ----a-w- c:\windows\system32\0CF3F.tmp
2009-11-21 04:56 . 2009-11-21 04:56 4096 ----a-w- c:\windows\system32\0821A.tmp
2009-11-20 19:14 . 2009-11-20 19:14 4096 ----a-w- c:\windows\system32\0F085.tmp
2009-11-20 01:31 . 2009-11-20 01:31 4096 ----a-w- c:\windows\system32\0B309.tmp
2009-11-19 22:19 . 2009-11-19 22:19 4096 ----a-w- c:\windows\system32\022EA.tmp
2009-11-19 03:57 . 2009-11-19 03:57 4096 ----a-w- c:\windows\system32\0BB34.tmp
2009-11-18 01:46 . 2009-11-18 01:46 4096 ----a-w- c:\windows\system32\097FA.tmp
2009-11-17 03:08 . 2009-11-17 03:08 4096 ----a-w- c:\windows\system32\09CAB.tmp
2009-11-16 03:30 . 2009-11-16 03:30 4096 ----a-w- c:\windows\system32\08F82.tmp
2009-11-14 04:44 . 2009-11-14 04:44 4096 ----a-w- c:\windows\system32\05B1A.tmp
2009-11-13 04:14 . 2009-11-13 04:14 4096 ----a-w- c:\windows\system32\07CDD.tmp
2009-11-09 16:09 . 2009-11-09 16:09 90112 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2009-11-09 16:09 . 2009-11-09 16:09 561152 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2009-11-09 16:09 . 2009-11-09 16:09 393216 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2009-11-09 16:09 . 2009-11-09 16:09 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2009-11-09 16:09 . 2009-11-09 16:09 167936 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2009-11-09 16:09 . 2009-11-09 16:09 118784 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2009-11-03 04:42 . 2009-10-03 17:24 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-17 13:41 . 2009-09-22 04:00 174 ----a-w- c:\users\Eric\AppData\Roaming\Azureus\restart.bat
2009-10-02 00:25 . 2009-10-02 00:25 10686001 ----a-w- c:\users\Eric\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2009-02-19 18:32 . 2009-02-19 18:29 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-11-09 2923192]
"Steam"="c:\program files\steam\steam.exe" [2009-10-25 1217808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-26 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-26 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-26 154136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/6/2009 1:12 PM 81920]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [2/19/2009 8:58 AM 27648]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [5/6/2009 5:21 PM 46824]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [12/6/2009 1:13 PM 112128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-29 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2009-02-19 07:02]

2009-12-29 c:\windows\Tasks\User_Feed_Synchronization-{8B67DFA3-57A6-4FF7-A450-6C60982ED45B}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\xcqc4kti.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\Eric\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-29 15:44
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-12-29 15:48:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 23:48
ComboFix2.txt 2009-12-29 18:50
ComboFix3.txt 2009-12-29 17:17

Pre-Run: 111,128,444,928 bytes free
Post-Run: 111,006,076,928 bytes free

- - End Of File - - E721CDE1AC3B66BB2E5E89126E382E58

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on 29th December 2009, 11:50 pm

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by illegit on 30th December 2009, 12:17 am

Thanks a bunch for your help, I am not the primary user of this computer so I will be sure to ask the owner if his system is running smoother now. The original problem was fixed and i guess that's the main thing for now.

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on 30th December 2009, 12:18 am

Not really, the most important thing is to install an AV, otherwise we just wasted our time if the user can't keep the machine safe.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by illegit on 30th December 2009, 12:45 am

Alright, its been installed , thanks again for your help

illegit
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-03
Gender Gender : Male
OS OS : XP Professional
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum