Malware Spyware (1 of 2 post)

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Malware Spyware (1 of 2 post)

Post by DIENT42 on Sat 21 Apr 2012, 11:36 pm

Hello,

My laptop is infected, tried cleaning with superantipsyware and malwarebytes several times without success. I cannot read PDF files and also cannot print.

tried running security check but no file was generated, it came back with this error:

The procedure entry point MigratewinsockConfiguration could not be located in the dynamiclink library MSWsock.dll

I have to send you OLT.txt in another post, it kept saying the post was too long and did want to attach the file.

thank you for your help

Dien

OTL Extras logfile created on: 4/21/2012 11:54:17 AM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Dien Truong\Desktop\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 52.95% Memory free
4.81 Gb Paging File | 3.50 Gb Available in Paging File | 72.74% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.84 Gb Total Space | 167.83 Gb Free Space | 72.08% Space Free | Partition Type: NTFS

Computer Name: JABSOM-1652A6A4 | User Name: Dien Truong | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\WINDOWS\system32\lxeacoms.exe" = C:\WINDOWS\system32\lxeacoms.exe:*:Enabled:S300-S400 Series Server -- ( )
"C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe" = C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:*:Enabled:ABBYY FineReader -- (ABBYY (BIT Software))
"C:\Documents and Settings\Dien Truong\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Dien Truong\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\1ClickDownload\1ClickDownload.exe" = C:\Program Files\1ClickDownload\1ClickDownload.exe:*:Enabled:1ClickDownload -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{026C3D27-9BE1-46BE-BEAE-6DE38A0F4FBE}" = RealNetworks - Microsoft Visual C++ 2005 Runtime
"{0673654C-5296-453B-9798-B61CD7E03FEB}" = SES Driver
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 24
"{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java(TM) 6 Update 16
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{348E6CDF-A6AE-45E6-B0AB-65A07B3C715E}" = O2Micro Flash Memory Card Windows Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{397F4DE2-3C5A-415C-9A36-1D8C2B30B92D}" = McAfee Agent
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1" = Data Lifeguard Diagnostic for Windows 1.22
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5DBC79DA-87D2-376D-A65D-B14097C06C71}" = Google Talk Plugin
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6D172D0A-B9F1-4046-AFAB-8599288545BF}" = Safari
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo 1.10.02
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}" = Cisco Systems VPN Client 5.0.07.0290
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb" = Microsoft Automated Troubleshooting Services Shim
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240C6}" = WinZip 16.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}" = McAfee VirusScan Enterprise
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"1ClickDownload" = 1ClickDownload
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card Utility
"DivX Setup.divx.com" = DivX Setup
"Google Chrome" = Google Chrome
"Hamster Free ZIP Archiver_is1" = Hamster Free ZIP Archiver 1.2.0.6
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"hp deskjet 6122 series_Driver" = hp deskjet 6122 series
"ie8" = Windows Internet Explorer 8
"InstallShield_{348E6CDF-A6AE-45E6-B0AB-65A07B3C715E}" = O2Micro Flash Memory Card Windows Driver
"Juniper Odyssey Access Client" = Juniper Odyssey Access Client 4.80
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"Lexmark S300-S400 Series" = Lexmark S300-S400 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"RealPlayer 15.0" = RealPlayer
"uTorrent" = µTorrent
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xilisoft DVD Creator 6" = Xilisoft DVD Creator 6
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/20/2012 2:09:49 AM | Computer Name = JABSOM-1652A6A4 | Source = Application Hang | ID = 1002
Description = Hanging application Hamster.Archiver.UI.exe, version 1.2.0.6, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/21/2012 5:12:07 AM | Computer Name = JABSOM-1652A6A4 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/21/2012 5:12:07 AM | Computer Name = JABSOM-1652A6A4 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1984

Error - 4/21/2012 5:12:07 AM | Computer Name = JABSOM-1652A6A4 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1984

Error - 4/21/2012 5:12:09 AM | Computer Name = JABSOM-1652A6A4 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/21/2012 5:12:09 AM | Computer Name = JABSOM-1652A6A4 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3968

Error - 4/21/2012 5:12:09 AM | Computer Name = JABSOM-1652A6A4 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3968

Error - 4/21/2012 12:59:17 PM | Computer Name = JABSOM-1652A6A4 | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 1320 (0x528) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.4.0.354
/ 5400.1158 Object being scanned = \Device\HarddiskVolume2\WINDOWS\system32\wceprv.dll

by C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe 4(0)(0) 4(0)(0)
7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 4/21/2012 1:13:36 PM | Computer Name = JABSOM-1652A6A4 | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 1272 (0x4f8) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.4.0.354
/ 5400.1158 Object being scanned = \Device\HarddiskVolume2\WINDOWS\system32\wceprv.dll

by C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe 4(0)(0) 4(0)(0)
7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 4/21/2012 5:26:32 PM | Computer Name = JABSOM-1652A6A4 | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 3684 (0xe64) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.4.0.354
/ 5400.1158 Object being scanned = \Device\HarddiskVolume2\WINDOWS\system32\wceprv.dll

by C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe 4(0)(0) 4(0)(0)
7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

[ System Events ]
Error - 4/15/2012 6:42:14 AM | Computer Name = JABSOM-1652A6A4 | Source = O2SDGRDR | ID = 262153
Description =

Error - 4/15/2012 1:39:10 PM | Computer Name = JABSOM-1652A6A4 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 4/16/2012 12:44:55 AM | Computer Name = JABSOM-1652A6A4 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 4/16/2012 1:51:10 AM | Computer Name = JABSOM-1652A6A4 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 4/16/2012 4:50:19 AM | Computer Name = JABSOM-1652A6A4 | Source = O2SDGRDR | ID = 262153
Description =

Error - 4/16/2012 4:50:39 AM | Computer Name = JABSOM-1652A6A4 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 4/16/2012 4:51:09 AM | Computer Name = JABSOM-1652A6A4 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 4/16/2012 4:51:39 AM | Computer Name = JABSOM-1652A6A4 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 4/16/2012 6:07:32 AM | Computer Name = JABSOM-1652A6A4 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 4/16/2012 1:05:58 PM | Computer Name = JABSOM-1652A6A4 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.


< End of report >


DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by Superdave on Mon 23 Apr 2012, 12:48 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

You may want to consider purchasing Malwarebytes' Anti-Malware to protect against viruses and other threats.
Additionally, purchasing an effective antivirus program is a good idea. This will protect your identity and your computer against all types of viruses and other malware. See the Cheetah Market now:
*****************************************************************
Please do not create multiple threads. If a log is too long, break it into two or three posts.
I cannot read PDF files and also cannot print.
I seriously doubt that any infection will affect your computer. Are there any other symptoms.

Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Tech Staff


Tech Staff

Posts: 3221
Joined: 2010-02-01
Operating System: XP Home SP3

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Mon 23 Apr 2012, 2:31 am

hi Superdave,

Thank you for helping me, I ran combofix per your instruction on post 1of2 Combofix said i was infected w/Rootkit.zeroaccess and it was affecting the tcp/ip stack.
At the end of the first run, combofix rebooted and when it came up again, Mcafee Antivires came up with a window saying that it had caught and delete NirkMD. I had disabled Mcafee before running combofix but had no control when combofix rebooted. Anyway, combofix after rebooting went ahead and did its work but kept sending a message that NIRKMD could not be found. I clicked the ok button and it continued. Not sure this will require additional work, just wanted to let you know, thanks.


ComboFix 12-04-22.02 - Dien Truong 04/22/2012 14:29:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2551 [GMT -10:00]
Running from: C:\Documents and Settings\Dien Truong\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\All Users\SPL110.tmp
C:\Documents and Settings\Dien Truong\Application Data\PriceGong
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\1.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\1.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\173.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\2229.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\a.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\a.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\b.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\b.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\c.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\c.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\d.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\d.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\e.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\e.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\f.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\f.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\g.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\g.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\h.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\h.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\i.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\i.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\j.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\J.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\k.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\k.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\l.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\l.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\m.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\m.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\mru.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\n.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\n.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\o.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\o.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\p.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\p.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\q.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\q.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\r.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\r.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\s.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\s.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\t.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\t.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\u.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\u.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\v.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\v.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\w.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\w.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\wlu.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\x.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\x.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\y.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\y.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\z.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\z.xml
C:\Documents and Settings\Dien Truong\Application Data\Toolbar4
C:\Documents and Settings\Dien Truong\DataRefreshUI_5.0.0.8300.dll
C:\WINDOWS\$NtUninstallKB20636$\1920213736\@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\cfg.ini
C:\WINDOWS\$NtUninstallKB20636$\1920213736\Desktop.ini
C:\WINDOWS\$NtUninstallKB20636$\1920213736\L\sokpcgdh
C:\WINDOWS\$NtUninstallKB20636$\1920213736\oemid
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\00000001.$
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\00000001.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\00000002.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\00000004.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\80000000.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\80000004.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\80000032.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\version
C:\WINDOWS\$NtUninstallKB20636$\775403029
C:\WINDOWS\EventSystem.log
C:\WINDOWS\system32\{a7447300-8075-4b0d-83f1-3d75c8ebc623}.dll
C:\WINDOWS\system32\armoucfltr.dll
C:\WINDOWS\system32\ATIVXSTW.dll
C:\WINDOWS\system32\AVerTV.dll
C:\WINDOWS\system32\BCM43XV.dll
C:\WINDOWS\system32\bcm43xx.dll
C:\WINDOWS\system32\bhmonitorservice.dll
C:\WINDOWS\system32\bridge.dll
C:\WINDOWS\system32\bvrp_pci.dll
C:\WINDOWS\system32\c-dillasrv.dll
C:\WINDOWS\system32\clr_optimization_v2.0.50215_32.dll
C:\WINDOWS\system32\cmdide.dll
C:\WINDOWS\system32\cpqdmi.dll
C:\WINDOWS\system32\cpqnicmgmt.dll
C:\WINDOWS\system32\CSDriver.dll
C:\WINDOWS\system32\db2governor.dll
C:\WINDOWS\system32\dds_trash_log.cmd
C:\WINDOWS\system32\df5serv.dll
C:\WINDOWS\system32\DfwWebAgent.dll
C:\WINDOWS\system32\DKbFltr.dll
C:\WINDOWS\system32\DM9102.dll
C:\WINDOWS\system32\eaphost.dll
C:\WINDOWS\system32\efs.dll
C:\WINDOWS\system32\ELhid.dll
C:\WINDOWS\system32\F700iob.dll
C:\WINDOWS\system32\fax.dll
C:\WINDOWS\system32\gdrv.dll
C:\WINDOWS\system32\hpconfig.dll
C:\WINDOWS\system32\hpqwmi.dll
C:\WINDOWS\system32\iaimfp1.dll
C:\WINDOWS\system32\igfx.dll
C:\WINDOWS\system32\iviVD.dll
C:\WINDOWS\system32\iwebmsg.dll
C:\WINDOWS\system32\klif.dll
C:\WINDOWS\system32\lxcd_device.dll
C:\WINDOWS\system32\mapserver6.3.dll
C:\WINDOWS\system32\mbr.dll
C:\WINDOWS\system32\Memctl.dll
C:\WINDOWS\system32\MSFWHLPR.dll
C:\WINDOWS\system32\msgame.dll
C:\WINDOWS\system32\mstee.dll
C:\WINDOWS\system32\mysqlinventime.dll
C:\WINDOWS\system32\nipxirmu.dll
C:\WINDOWS\system32\nnsvc.dll
C:\WINDOWS\system32\nsvcip.dll
C:\WINDOWS\system32\omsad.dll
C:\WINDOWS\system32\oracle_load_balancer_60_server-forms6i.dll
C:\WINDOWS\system32\oracleorahome811cmadmin.dll
C:\WINDOWS\system32\pci.dll
C:\WINDOWS\system32\pduip6000dmemcrdmgr.dll
C:\WINDOWS\system32\penclass.dll
C:\WINDOWS\system32\QPSched.dll
C:\WINDOWS\system32\radclock.dll
C:\WINDOWS\system32\rimvserport.dll
C:\WINDOWS\system32\rollbackclientservice.dll
C:\WINDOWS\system32\roxwatch.dll
C:\WINDOWS\system32\rp32service.dll
C:\WINDOWS\system32\rtl8029.dll
C:\WINDOWS\system32\s125obex.dll
C:\WINDOWS\system32\SbieDrv.dll
C:\WINDOWS\system32\sbservice.dll
C:\WINDOWS\system32\se27unic.dll
C:\WINDOWS\system32\SE2Dbus.dll
C:\WINDOWS\system32\SE2Ebus.dll
C:\WINDOWS\system32\se59mdm.dll
C:\WINDOWS\system32\SET125.tmp
C:\WINDOWS\system32\SET129.tmp
C:\WINDOWS\system32\SET131.tmp
C:\WINDOWS\system32\SIODRV.dll
C:\WINDOWS\system32\SiRemFil.dll
C:\WINDOWS\system32\Sk9920nt.dll
C:\WINDOWS\system32\slabser.dll
C:\WINDOWS\system32\slpmonx.dll
C:\WINDOWS\system32\snpstd.dll
C:\WINDOWS\system32\Sntnlusb.dll
C:\WINDOWS\system32\spbbcsvc.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\xpdpp.dll
C:\WINDOWS\system32\SRTSP.dll
C:\WINDOWS\system32\SrvcEPECioctl.dll
C:\WINDOWS\system32\StillCam.dll
C:\WINDOWS\system32\SWMX00.dll
C:\WINDOWS\system32\symndis.dll
C:\WINDOWS\system32\tifm.dll
C:\WINDOWS\system32\toside.dll
C:\WINDOWS\system32\utilman.dll
C:\WINDOWS\system32\vc8secs.dll
C:\WINDOWS\system32\VHidMinidrv.dll
C:\WINDOWS\system32\Via4in1.dll
C:\WINDOWS\system32\vmount2.dll
C:\WINDOWS\system32\wacomvhid.dll
C:\WINDOWS\system32\webrootenterpriseclientservice.dll
C:\WINDOWS\system32\winpowermanager.dll
C:\WINDOWS\system32\wudfrd.dll
C:\WINDOWS\system32\wuolservice.dll
C:\WINDOWS\system32\XBCD.dll
C:\WINDOWS\system32\XDva004.dll
C:\WINDOWS\$NtUninstallKB20636$ . . . . Failed to delete

Infected copy of C:\WINDOWS\system32\autochk.exe was found and disinfected
Restored copy from - C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP367\A0288558.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_A016MGMT
-------\Legacy_A8DJAVS
-------\Legacy_ADIDTSFILTSERVICE
-------\Legacy_ADIUSBAW
-------\Legacy_ADVSERVICE
-------\Legacy_AECLIENTHOSTSERVICE
-------\Legacy_AGNFILT
-------\Legacy_AGP440
-------\Legacy_ANIWZCSDSERVICE
-------\Legacy_APLMP50
-------\Legacy_ATI2MPAA
-------\Legacy_BACKUPCLIENTSVC
-------\Legacy_BCM43XV
-------\Legacy_BC_IP_F
-------\Legacy_BTKRNL
-------\Legacy_CCALIB8
-------\Legacy_CENTENNIALIPTRANSFERAGENT
-------\Legacy_CLNTMGMT.SYS
-------\Legacy_CMDAGENT
-------\Legacy_CYBERPOWERUPS
-------\Legacy_DBMANAGERSCHEDULER
-------\Legacy_DEVENTAGENT
-------\Legacy_DLARTL_N
-------\Legacy_E1000
-------\Legacy_EABUSB
-------\Legacy_FIRESVC
-------\Legacy_GAMEENUM
-------\Legacy_HPFECP20
-------\Legacy_HSXHWAZL
-------\Legacy_IAIMFP5
-------\Legacy_IAIMTV6
-------\Legacy_ICM10BLK
-------\Legacy_IDECHNDR
-------\Legacy_INCDSRVR
-------\Legacy_KMW_KBD
-------\Legacy_KNOBSERV
-------\Legacy_L8042PR2
-------\Legacy_LMS
-------\Legacy_MCDBUS
-------\Legacy_MOZYBACKUP
-------\Legacy_MSW_USB
-------\Legacy_MWSTICK
-------\Legacy_NMRAAPACHE
-------\Legacy_NSM1MDFL
-------\Legacy_NWADI
-------\Legacy_OMNIINET
-------\Legacy_ORACLE_LOAD_BALANCER_60_CLIENT-FORMS6I
-------\Legacy_PALMUSBD
-------\Legacy_PCTAVSVC
-------\Legacy_PDLNEPKT
-------\Legacy_PDSCHEDULER
-------\Legacy_PROCDD
-------\Legacy_QFCORESVC
-------\Legacy_QSERVER
-------\Legacy_RKHDRV31
-------\Legacy_RKHIT
-------\Legacy_RXMSSYNC
-------\Legacy_S716ND5
-------\Legacy_SFCTLCOM
-------\Legacy_SGECLIENT
-------\Legacy_SI3114R
-------\Legacy_SIT_PRT
-------\Legacy_SSSCSISV
-------\Legacy_SYMANTECANTIBOTAGENT
-------\Legacy_TBASPI
-------\Legacy_TDCMDPST
-------\Legacy_TOSRFBD
-------\Legacy_TRACKCAM4
-------\Legacy_TSMSERVICE
-------\Legacy_UBHELPER
-------\Legacy_UIM_IM
-------\Legacy_US30SYS
-------\Legacy_USB20L
-------\Legacy_USB_RNDIS_XP
-------\Legacy_VAIOMEDIAPLATFORM-PHOTOSERVER-HTTP
-------\Legacy_VX1000
-------\Legacy_W29N51
-------\Legacy_W800MGMT
-------\Legacy_WAMPAPACHE
-------\Legacy_WDELMGR20
-------\Legacy_WEBROOTCOMMAGENTSERVICE
-------\Legacy_WEBSENSEWFREPORTSERVER
-------\Legacy_WHOISD32
-------\Legacy_WIMFLTR
-------\Legacy_WINACHCF
-------\Legacy_WPDUSB
-------\Legacy_WPS
-------\Legacy_ZEBRSCE
-------\Legacy_ZPNODECOLLECTOR
-------\Legacy_ZPPINGER
-------\Legacy_{834170A7-AF3B-4D34-A757-E05EB29EE96D}
-------\Legacy_{E2B953A6-195A-44F9-9BA3-3D5F4E32BB55}
-------\Service_{834170a7-af3b-4d34-a757-e05eb29ee96d}
-------\Service_{e2b953a6-195a-44f9-9ba3-3d5f4e32bb55}
-------\Service_a016mgmt
-------\Service_a8djavs
-------\Service_ADIDTSFiltService
-------\Service_adiusbaw
-------\Service_advservice
-------\Service_aeclienthostservice
-------\Service_agnfilt
-------\Service_agp440
-------\Service_aniwzcsdservice
-------\Service_APLMp50
-------\Service_ati2mpaa
-------\Service_backupclientsvc
-------\Service_bc_ip_f
-------\Service_BCM43XV
-------\Service_btkrnl
-------\Service_ccalib8
-------\Service_centennialiptransferagent
-------\Service_ClntMgmt.sys
-------\Service_cmdagent
-------\Service_cyberpowerups
-------\Service_dbmanagerscheduler
-------\Service_deventagent
-------\Service_dlartl_n
-------\Service_e1000
-------\Service_eabusb
-------\Service_firesvc
-------\Service_gameenum
-------\Service_HPFECP20
-------\Service_hsxhwazl
-------\Service_iAimFP5
-------\Service_iAimTV6
-------\Service_icm10blk
-------\Service_idechndr
-------\Service_InCDsrvR
-------\Service_KMW_KBD
-------\Service_knobserv
-------\Service_l8042pr2
-------\Service_LMS
-------\Service_mcdbus
-------\Service_mozybackup
-------\Service_MSW_USB
-------\Service_mwstick
-------\Service_nmraapache
-------\Service_nsm1mdfl
-------\Service_NWADI
-------\Service_omniinet
-------\Service_oracle_load_balancer_60_client-forms6i
-------\Service_palmusbd
-------\Service_pctavsvc
-------\Service_pdlnepkt
-------\Service_pdscheduler
-------\Service_procdd
-------\Service_qfcoresvc
-------\Service_qserver
-------\Service_rkhdrv31
-------\Service_rxmssync
-------\Service_s716nd5
-------\Service_SfCtlCom
-------\Service_sgeclient
-------\Service_si3114r
-------\Service_sit_prt
-------\Service_ssscsisv
-------\Service_symantecantibotagent
-------\Service_tbaspi
-------\Service_tdcmdpst
-------\Service_tosrfbd
-------\Service_trackcam4
-------\Service_tsmservice
-------\Service_UBHelper
-------\Service_Uim_IM
-------\Service_us30sys
-------\Service_USB_RNDIS_XP
-------\Service_usb20l
-------\Service_VAIOMediaPlatform-PhotoServer-HTTP
-------\Service_VX1000
-------\Service_w29n51
-------\Service_w800mgmt
-------\Service_wampapache
-------\Service_wdelmgr20
-------\Service_webrootcommagentservice
-------\Service_websensewfreportserver
-------\Service_whoisd32
-------\Service_WimFltr
-------\Service_winachcf
-------\Service_wpdusb
-------\Service_wps
-------\Service_zebrsce
-------\Service_zpnodecollector
-------\Service_zppinger


((((((((((((((((((((((((( Files Created from 2012-03-23 to 2012-04-23 )))))))))))))))))))))))))))))))



DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by Superdave on Mon 23 Apr 2012, 7:41 pm

This is not the complete ComboFix log. Please post the rest of it.

Superdave
Tech Staff


Tech Staff

Posts: 3221
Joined: 2010-02-01
Operating System: XP Home SP3

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Mon 23 Apr 2012, 10:53 pm

Hi Dave,

This is the only comfix.txt file i could find unless it saved the file elsewhere


ComboFix 12-04-22.02 - Dien Truong 04/22/2012 14:29:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2551 [GMT -10:00]
Running from: C:\Documents and Settings\Dien Truong\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\All Users\SPL110.tmp
C:\Documents and Settings\Dien Truong\Application Data\PriceGong
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\1.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\1.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\173.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\2229.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\a.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\a.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\b.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\b.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\c.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\c.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\d.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\d.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\e.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\e.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\f.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\f.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\g.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\g.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\h.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\h.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\i.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\i.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\j.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\J.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\k.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\k.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\l.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\l.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\m.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\m.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\mru.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\n.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\n.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\o.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\o.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\p.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\p.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\q.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\q.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\r.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\r.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\s.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\s.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\t.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\t.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\u.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\u.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\v.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\v.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\w.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\w.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\wlu.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\x.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\x.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\y.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\y.xml
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\z.txt
C:\Documents and Settings\Dien Truong\Application Data\PriceGong\Data\z.xml
C:\Documents and Settings\Dien Truong\Application Data\Toolbar4
C:\Documents and Settings\Dien Truong\DataRefreshUI_5.0.0.8300.dll
C:\WINDOWS\$NtUninstallKB20636$\1920213736\@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\cfg.ini
C:\WINDOWS\$NtUninstallKB20636$\1920213736\Desktop.ini
C:\WINDOWS\$NtUninstallKB20636$\1920213736\L\sokpcgdh
C:\WINDOWS\$NtUninstallKB20636$\1920213736\oemid
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\00000001.$
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\00000001.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\00000002.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\00000004.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\80000000.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\80000004.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\U\80000032.@
C:\WINDOWS\$NtUninstallKB20636$\1920213736\version
C:\WINDOWS\$NtUninstallKB20636$\775403029
C:\WINDOWS\EventSystem.log
C:\WINDOWS\system32\{a7447300-8075-4b0d-83f1-3d75c8ebc623}.dll
C:\WINDOWS\system32\armoucfltr.dll
C:\WINDOWS\system32\ATIVXSTW.dll
C:\WINDOWS\system32\AVerTV.dll
C:\WINDOWS\system32\BCM43XV.dll
C:\WINDOWS\system32\bcm43xx.dll
C:\WINDOWS\system32\bhmonitorservice.dll
C:\WINDOWS\system32\bridge.dll
C:\WINDOWS\system32\bvrp_pci.dll
C:\WINDOWS\system32\c-dillasrv.dll
C:\WINDOWS\system32\clr_optimization_v2.0.50215_32.dll
C:\WINDOWS\system32\cmdide.dll
C:\WINDOWS\system32\cpqdmi.dll
C:\WINDOWS\system32\cpqnicmgmt.dll
C:\WINDOWS\system32\CSDriver.dll
C:\WINDOWS\system32\db2governor.dll
C:\WINDOWS\system32\dds_trash_log.cmd
C:\WINDOWS\system32\df5serv.dll
C:\WINDOWS\system32\DfwWebAgent.dll
C:\WINDOWS\system32\DKbFltr.dll
C:\WINDOWS\system32\DM9102.dll
C:\WINDOWS\system32\eaphost.dll
C:\WINDOWS\system32\efs.dll
C:\WINDOWS\system32\ELhid.dll
C:\WINDOWS\system32\F700iob.dll
C:\WINDOWS\system32\fax.dll
C:\WINDOWS\system32\gdrv.dll
C:\WINDOWS\system32\hpconfig.dll
C:\WINDOWS\system32\hpqwmi.dll
C:\WINDOWS\system32\iaimfp1.dll
C:\WINDOWS\system32\igfx.dll
C:\WINDOWS\system32\iviVD.dll
C:\WINDOWS\system32\iwebmsg.dll
C:\WINDOWS\system32\klif.dll
C:\WINDOWS\system32\lxcd_device.dll
C:\WINDOWS\system32\mapserver6.3.dll
C:\WINDOWS\system32\mbr.dll
C:\WINDOWS\system32\Memctl.dll
C:\WINDOWS\system32\MSFWHLPR.dll
C:\WINDOWS\system32\msgame.dll
C:\WINDOWS\system32\mstee.dll
C:\WINDOWS\system32\mysqlinventime.dll
C:\WINDOWS\system32\nipxirmu.dll
C:\WINDOWS\system32\nnsvc.dll
C:\WINDOWS\system32\nsvcip.dll
C:\WINDOWS\system32\omsad.dll
C:\WINDOWS\system32\oracle_load_balancer_60_server-forms6i.dll
C:\WINDOWS\system32\oracleorahome811cmadmin.dll
C:\WINDOWS\system32\pci.dll
C:\WINDOWS\system32\pduip6000dmemcrdmgr.dll
C:\WINDOWS\system32\penclass.dll
C:\WINDOWS\system32\QPSched.dll
C:\WINDOWS\system32\radclock.dll
C:\WINDOWS\system32\rimvserport.dll
C:\WINDOWS\system32\rollbackclientservice.dll
C:\WINDOWS\system32\roxwatch.dll
C:\WINDOWS\system32\rp32service.dll
C:\WINDOWS\system32\rtl8029.dll
C:\WINDOWS\system32\s125obex.dll
C:\WINDOWS\system32\SbieDrv.dll
C:\WINDOWS\system32\sbservice.dll
C:\WINDOWS\system32\se27unic.dll
C:\WINDOWS\system32\SE2Dbus.dll
C:\WINDOWS\system32\SE2Ebus.dll
C:\WINDOWS\system32\se59mdm.dll
C:\WINDOWS\system32\SET125.tmp
C:\WINDOWS\system32\SET129.tmp
C:\WINDOWS\system32\SET131.tmp
C:\WINDOWS\system32\SIODRV.dll
C:\WINDOWS\system32\SiRemFil.dll
C:\WINDOWS\system32\Sk9920nt.dll
C:\WINDOWS\system32\slabser.dll
C:\WINDOWS\system32\slpmonx.dll
C:\WINDOWS\system32\snpstd.dll
C:\WINDOWS\system32\Sntnlusb.dll
C:\WINDOWS\system32\spbbcsvc.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\xpdpp.dll
C:\WINDOWS\system32\SRTSP.dll
C:\WINDOWS\system32\SrvcEPECioctl.dll
C:\WINDOWS\system32\StillCam.dll
C:\WINDOWS\system32\SWMX00.dll
C:\WINDOWS\system32\symndis.dll
C:\WINDOWS\system32\tifm.dll
C:\WINDOWS\system32\toside.dll
C:\WINDOWS\system32\utilman.dll
C:\WINDOWS\system32\vc8secs.dll
C:\WINDOWS\system32\VHidMinidrv.dll
C:\WINDOWS\system32\Via4in1.dll
C:\WINDOWS\system32\vmount2.dll
C:\WINDOWS\system32\wacomvhid.dll
C:\WINDOWS\system32\webrootenterpriseclientservice.dll
C:\WINDOWS\system32\winpowermanager.dll
C:\WINDOWS\system32\wudfrd.dll
C:\WINDOWS\system32\wuolservice.dll
C:\WINDOWS\system32\XBCD.dll
C:\WINDOWS\system32\XDva004.dll
C:\WINDOWS\$NtUninstallKB20636$ . . . . Failed to delete

Infected copy of C:\WINDOWS\system32\autochk.exe was found and disinfected
Restored copy from - C:\System Volume Information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP367\A0288558.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_A016MGMT
-------\Legacy_A8DJAVS
-------\Legacy_ADIDTSFILTSERVICE
-------\Legacy_ADIUSBAW
-------\Legacy_ADVSERVICE
-------\Legacy_AECLIENTHOSTSERVICE
-------\Legacy_AGNFILT
-------\Legacy_AGP440
-------\Legacy_ANIWZCSDSERVICE
-------\Legacy_APLMP50
-------\Legacy_ATI2MPAA
-------\Legacy_BACKUPCLIENTSVC
-------\Legacy_BCM43XV
-------\Legacy_BC_IP_F
-------\Legacy_BTKRNL
-------\Legacy_CCALIB8
-------\Legacy_CENTENNIALIPTRANSFERAGENT
-------\Legacy_CLNTMGMT.SYS
-------\Legacy_CMDAGENT
-------\Legacy_CYBERPOWERUPS
-------\Legacy_DBMANAGERSCHEDULER
-------\Legacy_DEVENTAGENT
-------\Legacy_DLARTL_N
-------\Legacy_E1000
-------\Legacy_EABUSB
-------\Legacy_FIRESVC
-------\Legacy_GAMEENUM
-------\Legacy_HPFECP20
-------\Legacy_HSXHWAZL
-------\Legacy_IAIMFP5
-------\Legacy_IAIMTV6
-------\Legacy_ICM10BLK
-------\Legacy_IDECHNDR
-------\Legacy_INCDSRVR
-------\Legacy_KMW_KBD
-------\Legacy_KNOBSERV
-------\Legacy_L8042PR2
-------\Legacy_LMS
-------\Legacy_MCDBUS
-------\Legacy_MOZYBACKUP
-------\Legacy_MSW_USB
-------\Legacy_MWSTICK
-------\Legacy_NMRAAPACHE
-------\Legacy_NSM1MDFL
-------\Legacy_NWADI
-------\Legacy_OMNIINET
-------\Legacy_ORACLE_LOAD_BALANCER_60_CLIENT-FORMS6I
-------\Legacy_PALMUSBD
-------\Legacy_PCTAVSVC
-------\Legacy_PDLNEPKT
-------\Legacy_PDSCHEDULER
-------\Legacy_PROCDD
-------\Legacy_QFCORESVC
-------\Legacy_QSERVER
-------\Legacy_RKHDRV31
-------\Legacy_RKHIT
-------\Legacy_RXMSSYNC
-------\Legacy_S716ND5
-------\Legacy_SFCTLCOM
-------\Legacy_SGECLIENT
-------\Legacy_SI3114R
-------\Legacy_SIT_PRT
-------\Legacy_SSSCSISV
-------\Legacy_SYMANTECANTIBOTAGENT
-------\Legacy_TBASPI
-------\Legacy_TDCMDPST
-------\Legacy_TOSRFBD
-------\Legacy_TRACKCAM4
-------\Legacy_TSMSERVICE
-------\Legacy_UBHELPER
-------\Legacy_UIM_IM
-------\Legacy_US30SYS
-------\Legacy_USB20L
-------\Legacy_USB_RNDIS_XP
-------\Legacy_VAIOMEDIAPLATFORM-PHOTOSERVER-HTTP
-------\Legacy_VX1000
-------\Legacy_W29N51
-------\Legacy_W800MGMT
-------\Legacy_WAMPAPACHE
-------\Legacy_WDELMGR20
-------\Legacy_WEBROOTCOMMAGENTSERVICE
-------\Legacy_WEBSENSEWFREPORTSERVER
-------\Legacy_WHOISD32
-------\Legacy_WIMFLTR
-------\Legacy_WINACHCF
-------\Legacy_WPDUSB
-------\Legacy_WPS
-------\Legacy_ZEBRSCE
-------\Legacy_ZPNODECOLLECTOR
-------\Legacy_ZPPINGER
-------\Legacy_{834170A7-AF3B-4D34-A757-E05EB29EE96D}
-------\Legacy_{E2B953A6-195A-44F9-9BA3-3D5F4E32BB55}
-------\Service_{834170a7-af3b-4d34-a757-e05eb29ee96d}
-------\Service_{e2b953a6-195a-44f9-9ba3-3d5f4e32bb55}
-------\Service_a016mgmt
-------\Service_a8djavs
-------\Service_ADIDTSFiltService
-------\Service_adiusbaw
-------\Service_advservice
-------\Service_aeclienthostservice
-------\Service_agnfilt
-------\Service_agp440
-------\Service_aniwzcsdservice
-------\Service_APLMp50
-------\Service_ati2mpaa
-------\Service_backupclientsvc
-------\Service_bc_ip_f
-------\Service_BCM43XV
-------\Service_btkrnl
-------\Service_ccalib8
-------\Service_centennialiptransferagent
-------\Service_ClntMgmt.sys
-------\Service_cmdagent
-------\Service_cyberpowerups
-------\Service_dbmanagerscheduler
-------\Service_deventagent
-------\Service_dlartl_n
-------\Service_e1000
-------\Service_eabusb
-------\Service_firesvc
-------\Service_gameenum
-------\Service_HPFECP20
-------\Service_hsxhwazl
-------\Service_iAimFP5
-------\Service_iAimTV6
-------\Service_icm10blk
-------\Service_idechndr
-------\Service_InCDsrvR
-------\Service_KMW_KBD
-------\Service_knobserv
-------\Service_l8042pr2
-------\Service_LMS
-------\Service_mcdbus
-------\Service_mozybackup
-------\Service_MSW_USB
-------\Service_mwstick
-------\Service_nmraapache
-------\Service_nsm1mdfl
-------\Service_NWADI
-------\Service_omniinet
-------\Service_oracle_load_balancer_60_client-forms6i
-------\Service_palmusbd
-------\Service_pctavsvc
-------\Service_pdlnepkt
-------\Service_pdscheduler
-------\Service_procdd
-------\Service_qfcoresvc
-------\Service_qserver
-------\Service_rkhdrv31
-------\Service_rxmssync
-------\Service_s716nd5
-------\Service_SfCtlCom
-------\Service_sgeclient
-------\Service_si3114r
-------\Service_sit_prt
-------\Service_ssscsisv
-------\Service_symantecantibotagent
-------\Service_tbaspi
-------\Service_tdcmdpst
-------\Service_tosrfbd
-------\Service_trackcam4
-------\Service_tsmservice
-------\Service_UBHelper
-------\Service_Uim_IM
-------\Service_us30sys
-------\Service_USB_RNDIS_XP
-------\Service_usb20l
-------\Service_VAIOMediaPlatform-PhotoServer-HTTP
-------\Service_VX1000
-------\Service_w29n51
-------\Service_w800mgmt
-------\Service_wampapache
-------\Service_wdelmgr20
-------\Service_webrootcommagentservice
-------\Service_websensewfreportserver
-------\Service_whoisd32
-------\Service_WimFltr
-------\Service_winachcf
-------\Service_wpdusb
-------\Service_wps
-------\Service_zebrsce
-------\Service_zpnodecollector
-------\Service_zppinger


((((((((((((((((((((((((( Files Created from 2012-03-23 to 2012-04-23 )))))))))))))))))))))))))))))))



DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by Superdave on Mon 23 Apr 2012, 11:17 pm

Please look in the ComboFix folder on the C: drive. You're looking for a txt file. If you can't find it, please run it again and post the whole log.

Superdave
Tech Staff


Tech Staff

Posts: 3221
Joined: 2010-02-01
Operating System: XP Home SP3

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Mon 23 Apr 2012, 11:24 pm

hi Dave,

What i posted to you was the combofix.txt file on the c: drive. I'll go ahead and run combofix again. Remeber I had mentioned that when combofix rebooted, Mc afee deleted the " tool-nircmd " not sure if that affected the rest of what combofix was trying to do.

DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Tue 24 Apr 2012, 4:03 am

Hi Dave,

Ran combofix w/McAfee disabled, here's the log file.

ComboFix 12-04-22.02 - Dien Truong 04/23/2012 12:59:47.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2654 [GMT -10:00]
Running from: c:\documents and settings\Dien Truong\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP367\A0288558.exe
.
--------
.
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{89FCB8C9-C704-4D49-B214-A171A6CBA08C}\RP367\A0288558.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-24 to 2012-04-24 )))))))))))))))))))))))))))))))
.
.
2012-04-23 22:35 . 2012-04-23 22:58 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-04-23 22:34 . 2012-04-23 22:57 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-04-21 01:20 . 2012-04-21 01:20 1984 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2012-04-11 19:58 . 2012-04-11 19:58 -------- d-----w- c:\program files\iPod
2012-04-11 19:58 . 2012-04-11 19:59 -------- d-----w- c:\program files\iTunes
2012-04-09 23:40 . 2012-04-14 02:47 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-23 01:33 . 2011-03-24 19:49 44544 ----a-w- c:\windows\system32\agremove.exe
2012-04-14 02:47 . 2011-05-23 18:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-05 01:56 . 2011-02-21 20:31 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-18 16:40 . 2012-03-18 16:40 59888 ------w- c:\windows\system32\pxwma.dll
2012-03-18 10:32 . 2012-03-18 10:32 18944 ----a-r- c:\documents and settings\Dien Truong\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2012-03-01 11:01 . 2008-04-13 23:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-13 23:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-13 23:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-13 23:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-13 23:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-13 23:00 385024 ------w- c:\windows\system32\html.iec
2012-02-15 21:01 . 2011-05-15 05:47 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 21:01 . 2011-05-15 05:47 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22 . 2008-04-13 23:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-13 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
.
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-12-09 1517368]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-01-04 6497592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-19 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-19 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-19 150040]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2009-01-19 959784]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2009-04-27 766632]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2009-04-27 139944]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"HFALoader"="c:\program files\Hamster Soft\Free ZIP Archiver\Hamster.Archiver.UI.exe" [2011-05-11 2925056]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-25 421888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-05-20 161088]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-01-23 296056]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-05 462408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-2-22 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 21:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2011-02-22 23:00 210216 ----a-w- c:\windows\system32\odyEvent.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\lxeacoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Documents and Settings\\Dien Truong\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\1ClickDownload\\1ClickDownload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/19/2009 12:18 PM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [1/19/2009 12:18 PM 282496]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [11/4/2008 6:10 PM 87416]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2/22/2011 9:57 PM 98984]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/21/2011 10:31 AM 654408]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/16/2011 10:34 PM 112512]
R3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [1/19/2009 12:48 PM 116008]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [1/10/2009 5:26 PM 390144]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [1/10/2009 5:26 PM 29312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/21/2011 10:31 AM 22344]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2/16/2011 11:01 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2/16/2011 11:01 AM 41760]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2011 3:50 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/9/2012 1:40 PM 253088]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2011 3:50 PM 136176]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [1/10/2009 5:26 PM 11008]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/19/2012 7:23 PM 11520]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jobserver_report
openvpnservice
w39n51
se58obex
sansaservice
mdmxsdk
asuskeyboardservice
acnusvc
pnmsrv
tfsncofs
WmVirHid
TClass2k
mrobeservice
ctprxy2k
Subsonic
{6080a529-897e-4629-a488-aba0c29b635e}
prism_a02
se45mgmt
swwd
SprintRcAppSvc
NETMDUSB
CA561
btwusb
bb-run
sbp2port
MaxtorFrontPanel1
mcredirector
adminserver
Mtlstrm
pca
hdthermal
penclass
AR5523
NWSIPX32
w810mdfl
Jukebox
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 02:47]
.
2012-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 03:57]
.
2012-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-17 01:50]
.
2012-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-17 01:50]
.
2012-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-583907252-1801674531-1003Core.job
- c:\documents and settings\Dien Truong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-15 20:20]
.
2012-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-583907252-1801674531-1003UA.job
- c:\documents and settings\Dien Truong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-15 20:20]
.
2012-04-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-583907252-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 02:02]
.
2012-04-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-583907252-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 02:02]
.
2012-04-23 c:\windows\Tasks\User_Feed_Synchronization-{4DE5AC23-CDF7-4645-B056-63B9CCB93328}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 14:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
Toolbar-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
Toolbar-Locked - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-04-23 16:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\autochk.exe:BAK 23040 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1732)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\odyEvent.dll
c:\program files\Common Files\Funk Software\dcfDOM.dll
c:\program files\Common Files\Funk Software\dcfLibrary.DLL
.
- - - - - - - > 'lsass.exe'(1792)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1364)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\idt\xpv10_6146v012\wdm\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxeacoms.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2012-04-23 16:35:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-24 02:35
.
Pre-Run: 196,572,372,992 bytes free
Post-Run: 196,594,495,488 bytes free
.
- - End Of File - - 8

DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by Superdave on Tue 24 Apr 2012, 6:58 pm

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.
Code:
:filefind
spoolsv.exe

Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
**************************************************
P2P - I see you have P2P software installed on your machine. uTorrentWe are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!


Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
**************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Superdave
Tech Staff


Tech Staff

Posts: 3221
Joined: 2010-02-01
Operating System: XP Home SP3

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Tue 24 Apr 2012, 8:20 pm

Hi Dave,

Here's the Look log file.

SystemLook 30.07.11 by jpshortstuff
Log created at 09:13 on 24/04/2012 by Dien Truong
Administrator - Elevation successful

========== filefind ==========

Searching for "spoolsv.exe "
C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe --a---- 58880 bytes [13:19 17/08/2010] [13:19 17/08/2010] 258DD5D4283FD9F9A7166BE9AE45CE73
C:\WINDOWS\$NtUninstallKB2347290$\spoolsv.exe -----c- 57856 bytes [17:12 16/02/2011] [23:00 13/04/2008] D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
C:\WINDOWS\system32\dllcache\spoolsv.exe --a--c- 58880 bytes [23:00 13/04/2008] [13:17 17/08/2010] 60784F891563FB1B767F70117FC2428F

-= EOF =-

DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Tue 24 Apr 2012, 9:54 pm

hi Dave,

here's the log file from Superantispyware:

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 04/24/2012 at 10:27 AM

Application Version : 5.0.1146

Core Rules Database Version : 8505
Trace Rules Database Version: 6317

Scan type : Complete Scan
Total Scan Time : 00:56:04

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 646
Memory threats detected : 0
Registry items scanned : 34577
Registry threats detected : 0
File items scanned : 43180
File threats detected : 95

Adware.Tracking Cookie
C:\Documents and Settings\Dien Truong\Cookies\CIUIB4YS.txt [ /freshteenvideos.com ]
C:\Documents and Settings\Dien Truong\Cookies\DRVWI20U.txt [ /accounts.google.com ]
C:\Documents and Settings\Dien Truong\Cookies\S0F6N5W9.txt [ /www.staradvertiser.com ]
C:\Documents and Settings\Dien Truong\Cookies\ADIX11ZP.txt [ /staradvertiser.com ]
C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\Cookies\MJT5HPWE.txt [ Cookie:dien truong@[You must be registered and logged in to see this link.] ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FY1EPJCH.txt [ Cookie:system@imrworldwide.com/cgi-bin ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\BL9U4YN9.txt [ Cookie:system@ru4.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GL7832J7.txt [ Cookie:system@[You must be registered and logged in to see this link.] ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\0GYQ8FQO.txt [ Cookie:system@fastclick.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\1GT1MYFK.txt [ Cookie:system@ads.gamersmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\KH3CIKQ2.txt [ Cookie:system@tacoda.at.atwola.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6BJC23FZ.txt [ Cookie:system@incsfind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\O5S1CWG1.txt [ Cookie:system@pointroll.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Z72MXV64.txt [ Cookie:system@myroitracking.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GVRVDROA.txt [ Cookie:system@media6degrees.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XIWIYSFG.txt [ Cookie:system@revsci.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\NBBEGRMB.txt [ Cookie:system@atdmt.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\RB35W6Q4.txt [ Cookie:system@doubleclick.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\PNCN2ZJW.txt [ Cookie:system@eclickz.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CMPOUEZP.txt [ Cookie:system@adserving.megatraf.org/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\19ZJX41V.txt [ Cookie:system@lucidmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8X324HHP.txt [ Cookie:system@keepufind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CD6GXLBX.txt [ Cookie:system@getclicky.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Q3NDKC9W.txt [ Cookie:system@trafficmp.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\PSJUBYBL.txt [ Cookie:system@collective-media.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\MD0QDCX6.txt [ Cookie:system@ads.pointroll.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\17G4ZHKL.txt [ Cookie:system@realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CM67RN0C.txt [ Cookie:system@linksfind.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\HJNQ1E5M.txt [ Cookie:system@burstnet.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\NURG4O7B.txt [ Cookie:system@adbrite.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\E70DG3C6.txt [ Cookie:system@micklemedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2QYE17VX.txt [ Cookie:system@yieldmanager.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\JHW2X7DI.txt [ Cookie:system@apmebf.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZSKDGSU2.txt [ Cookie:system@adxpose.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\G6KWAMT2.txt [ Cookie:system@ox-d.fondnessmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\OM3D1IXK.txt [ Cookie:system@ad2.adfarm1.adition.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8G14LHRD.txt [ Cookie:system@ox-d.adservermedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\WFVAI6IM.txt [ Cookie:system@pro-market.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DY2PBFOC.txt [ Cookie:system@entrepreneur.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LRA14XU3.txt [ Cookie:system@casalemedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5XQ9XKZR.txt [ Cookie:system@bizzclick.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\4QYQD6HZ.txt [ Cookie:system@kontera.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7456IRIR.txt [ Cookie:system@adserver.adtechus.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6SZGZ2JA.txt [ Cookie:system@questionmarket.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\F3Q8HTQG.txt [ Cookie:system@findstops.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\E57MN920.txt [ Cookie:system@smashfind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\25GI6LTH.txt [ Cookie:system@tribalfusion.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\S8CI9NH8.txt [ Cookie:system@adtech.de/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XMIS0MKM.txt [ Cookie:system@clicksor.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5ST4QI79.txt [ Cookie:system@cdn.jemamedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\EKNRU1R0.txt [ Cookie:system@mm.chitika.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5PYRDVRV.txt [ Cookie:system@advertising.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\TSVLJY8I.txt [ Cookie:system@findology.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7AICO25E.txt [ Cookie:system@dmfind.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\EEPR7XM0.txt [ Cookie:system@find-that.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZBKBD0RF.txt [ Cookie:system@adsonar.com/adserving ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\34YR745W.txt [ Cookie:system@perfind.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\TW3XOP4B.txt [ Cookie:system@histats.com/stats/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SBDNFN6U.txt [ Cookie:system@adserver.valwa.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SAN4JWYR.txt [ Cookie:system@ads.saymedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7ODAJOPQ.txt [ Cookie:system@247realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\0SJMVD1C.txt [ Cookie:system@sysufind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZTY7QO14.txt [ Cookie:system@click.search-fast-results.com/ads-clicktrack/click/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\O3AXOIP8.txt [ Cookie:system@histats.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\34DQN4SY.txt [ Cookie:system@clicks.thespecialsearch.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\A0IL5LFO.txt [ Cookie:system@mifind.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\WXS5AEVH.txt [ Cookie:system@static.getclicky.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\83J0T2C6.txt [ Cookie:system@tag.2bluemedia.hiro.tv/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XSA9575A.txt [ Cookie:system@network.realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\HZ8GYJFE.txt [ Cookie:system@mediaservices-d.openxenterprise.com/ ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.accounts.google.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.accounts.google.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.apmebf.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.mediaplex.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.mediaplex.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.liveperson.net [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
sales.liveperson.net [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.liveperson.net [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
cdn.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HH7C2372 ]
core.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HH7C2372 ]
media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HH7C2372 ]
media3.onsugar.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HH7C2372 ]
media4.onsugar.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HH7C2372 ]
objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HH7C2372 ]
secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HH7C2372 ]
tag.2bluemedia.hiro.tv [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HH7C2372 ]

Trojan.Agent/Gen-Koobface
C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\DESKTOP\DOWNLOADS\REALPLAYER.EXE

Trojan.Agent/Gen-ClickDownload
C:\DOCUMENTS AND SETTINGS\DIEN TRUONG\DESKTOP\DOWNLOADS\UNDERWORLD_1,2,3_(2003-2009)_BDRIP_TRILOGY.EXE

DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Wed 25 Apr 2012, 12:42 am

hi Dave,

here's the mbam log file:

Malwarebytes Anti-Malware 1.61.0.1400
[You must be registered and logged in to see this link.]

Database version: v2012.04.04.08

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Dien Truong :: JABSOM-1652A6A4 [administrator]

4/24/2012 11:52:13 AM
mbam-log-2012-04-24 (11-52-13).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 278009
Time elapsed: 26 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|latle (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\DIENTR~1\LOCALS~1\Temp\latle.dll",LoadMemory -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|uimbj (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\DIENTR~1\LOCALS~1\Temp\uimbj.dll",EnumTvValueNext -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Documents and Settings\Dien Truong\Local Settings\temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dien Truong\Local Settings\temp\latle.dll (Trojan.Agent.LTGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dien Truong\Local Settings\temp\uimbj.dll (Trojan.Agent.LTGen) -> Quarantined and deleted successfully.

(end)

DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by Superdave on Wed 25 Apr 2012, 3:07 am

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    FCopy::
    C:\WINDOWS\system32\dllcache\spoolsv.exe | c:\windows\System32\spoolsv.exe
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

**************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Superdave
Tech Staff


Tech Staff

Posts: 3221
Joined: 2010-02-01
Operating System: XP Home SP3

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Wed 25 Apr 2012, 5:46 am

Hi Dave,

heComboFix 12-04-22.02 - Dien Truong 04/24/2012 18:19:11.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2424 [GMT -10:00]
Running from: c:\documents and settings\Dien Truong\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dien Truong\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dien Truong\Application Data\Muvuhi
c:\documents and settings\Dien Truong\Application Data\Muvuhi\umtee.exe
c:\documents and settings\Dien Truong\DataRefreshUI_5.0.0.8300.dll
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\spoolsv.exe --> c:\windows\System32\spoolsv.exe
.
((((((((((((((((((((((((( Files Created from 2012-03-25 to 2012-04-25 )))))))))))))))))))))))))))))))
.
.
2012-04-25 04:19 . 2010-08-17 13:17 58880 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
2012-04-25 04:19 . 2010-08-17 13:17 58880 ----a-w- c:\windows\system32\spoolsv.exe
2012-04-25 03:59 . 2012-04-25 04:33 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-04-25 03:59 . 2012-04-25 04:32 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-04-24 20:27 . 2012-04-24 20:27 -------- d-----w- c:\documents and settings\Dien Truong\Local Settings\Application Data\Identities
2012-04-24 20:27 . 2012-04-24 21:18 -------- d-----w- c:\documents and settings\Dien Truong\Application Data\Noma
2012-04-24 20:27 . 2012-04-24 20:27 -------- d-----w- c:\documents and settings\Dien Truong\Application Data\Cacym
2012-04-21 01:20 . 2012-04-21 01:20 1984 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2012-04-11 19:58 . 2012-04-11 19:58 -------- d-----w- c:\program files\iPod
2012-04-11 19:58 . 2012-04-11 19:59 -------- d-----w- c:\program files\iTunes
2012-04-09 23:40 . 2012-04-14 02:47 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-25 04:35 . 2011-03-24 19:49 44544 ----a-w- c:\windows\system32\agremove.exe
2012-04-24 09:18 . 2011-12-09 02:38 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2012-04-24 09:18 . 2009-04-30 06:07 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2012-04-14 02:47 . 2011-05-23 18:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-05 01:56 . 2011-02-21 20:31 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-18 16:40 . 2012-03-18 16:40 59888 ------w- c:\windows\system32\pxwma.dll
2012-03-18 10:32 . 2012-03-18 10:32 18944 ----a-r- c:\documents and settings\Dien Truong\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2012-03-01 11:01 . 2008-04-13 23:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-13 23:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-13 23:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-13 23:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-13 23:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-13 23:00 385024 ------w- c:\windows\system32\html.iec
2012-02-15 21:01 . 2011-05-15 05:47 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 21:01 . 2011-05-15 05:47 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22 . 2008-04-13 23:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-25 04:32 . 2012-04-25 04:32 16384 c:\windows\temp\Perflib_Perfdata_794.dat
+ 2011-02-16 11:53 . 2012-04-25 03:31 1984 c:\windows\system32\d3d9caps.dat
- 2011-02-16 11:53 . 2012-04-23 16:05 1984 c:\windows\system32\d3d9caps.dat
+ 2011-06-06 22:55 . 2011-06-06 22:55 937920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
+ 2012-04-25 00:44 . 2012-04-25 00:44 2295808 c:\windows\Installer\45e8fb.msi
+ 2012-04-04 11:17 . 2012-04-04 11:17 16613376 c:\windows\Installer\45e8fc.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-12-09 1517368]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-01-04 6497592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-19 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-19 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-19 150040]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2009-01-19 959784]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2009-04-27 766632]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2009-04-27 139944]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"HFALoader"="c:\program files\Hamster Soft\Free ZIP Archiver\Hamster.Archiver.UI.exe" [2011-05-11 2925056]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-25 421888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-05-20 161088]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-01-23 296056]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-05 462408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-2-22 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2011-02-22 23:00 210216 ----a-w- c:\windows\system32\odyEvent.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\lxeacoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Documents and Settings\\Dien Truong\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\1ClickDownload\\1ClickDownload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/19/2009 12:18 PM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [1/19/2009 12:18 PM 282496]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 6:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 11:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 1:38 PM 116608]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [11/4/2008 6:10 PM 87416]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2/22/2011 9:57 PM 98984]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/21/2011 10:31 AM 654408]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/16/2011 10:34 PM 112512]
R3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [1/19/2009 12:48 PM 116008]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [1/10/2009 5:26 PM 390144]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [1/10/2009 5:26 PM 29312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/21/2011 10:31 AM 22344]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2/16/2011 11:01 AM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2/16/2011 11:01 AM 41760]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2011 3:50 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/9/2012 1:40 PM 253088]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2011 3:50 PM 136176]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [1/10/2009 5:26 PM 11008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/19/2012 7:23 PM 11520]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jobserver_report
openvpnservice
w39n51
se58obex
sansaservice
mdmxsdk
asuskeyboardservice
acnusvc
pnmsrv
tfsncofs
WmVirHid
TClass2k
mrobeservice
ctprxy2k
Subsonic
{6080a529-897e-4629-a488-aba0c29b635e}
prism_a02
se45mgmt
swwd
SprintRcAppSvc
NETMDUSB
CA561
btwusb
bb-run
sbp2port
MaxtorFrontPanel1
mcredirector
adminserver
Mtlstrm
pca
hdthermal
penclass
AR5523
NWSIPX32
w810mdfl
Jukebox
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 02:47]
.
2012-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 03:57]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-17 01:50]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-17 01:50]
.
2012-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-583907252-1801674531-1003Core.job
- c:\documents and settings\Dien Truong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-15 20:20]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-583907252-1801674531-1003UA.job
- c:\documents and settings\Dien Truong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-15 20:20]
.
2012-04-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-583907252-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 02:02]
.
2012-04-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-583907252-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 02:02]
.
2012-04-25 c:\windows\Tasks\User_Feed_Synchronization-{4DE5AC23-CDF7-4645-B056-63B9CCB93328}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 14:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Syeqydageh - c:\documents and settings\Dien Truong\Application Data\Muvuhi\umtee.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-04-24 18:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1744)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\odyEvent.dll
.
- - - - - - - > 'lsass.exe'(1812)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(944)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\idt\xpv10_6146v012\wdm\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxeacoms.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2012-04-24 18:39:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-25 04:39
ComboFix2.txt 2012-04-24 02:35
.
Pre-Run: 195,672,973,312 bytes free
Post-Run: 195,781,255,168 bytes free
.
- - End Of File - - D4CE9166BD96DB22B6019C0D58B9D0AE
re's the combofix log:

DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Re: Malware Spyware (1 of 2 post)

Post by DIENT42 on Wed 25 Apr 2012, 6:33 am

hi Dave,


here's the sysprot log file:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: Combo-Fix.sys
Service Name: ---
Module Base: BA128000
Module End: BA137000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_iastor.sys
Service Name: ---
Module Base: 9B22E000
Module End: 9B307000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: 9F0FD000
Module End: 9F105000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: 9D49F000
Module End: 9D4A1000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwTerminateProcess
Address: 9B427640
Driver Base: 9B41D000
Driver End: 9B43F000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Dien Truong\Application Data\Microsoft\Office\Recent\10Đi?uv?Cu?cS?ng[1].LNK
Status: Hidden

Object: C:\Documents and Settings\Dien Truong\Favorites\Báo Ph? N? Thŕnh Ph? Phunu - Tin Tu´c.url
Status: Hidden

Object: C:\Documents and Settings\Dien Truong\Favorites\NGU?I VI?T ONLINE Nhi?u ngu?i an th?c ph?m d?i gene mŕ không bi?t.url
Status: Hidden

Object: C:\Documents and Settings\Dien Truong\Favorites\Vietnamese Dictionary and Translation - T? di?n vŕ d?ch ti?ng Vi?t.url
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied


DIENT42

Rookie Surfer
Rookie Surfer

Posts: 65
Joined: 2010-06-11
Operating System: XP

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


Permissions in this forum:
You cannot reply to topics in this forum