![](http://content.invisioncic.com/Mmalware/set_resources_28/84c1e40ea0e759e3f1505eb1788ddf3c_pattern.png)
paultomasi
-
Posts
9 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by paultomasi
-
-
Dear Maniac
I don't think we're going to find anything ugly on my computer and that scares me even more. It would be satisfying to know something malicious has been eradicated.
The only two entries in RKILL are:
* C:\WINDOWS\system32\Ati2evxx.exe (PID: 1080) [WD-HEUR]
* C:\WINDOWS\system32\Ati2evxx.exe (PID: 1440) [WD-HEUR]
ESET returned less than that!
All very worrying to say it's rare I use either a firewall or background antivirus program although, even though I am very paranoid about viral infections. All I can assume is my surfing habits are probably 'safer' than the average surfer (although your opinion might differ on this having laid out personal details about my computer).
Where do we go from here?
======================================================================
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=bf55c15025c66845850b5bdce87ee19c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-20 03:44:54
# local_time=2012-08-20 04:44:54 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 10982171 10982171 0 0
# compatibility_mode=2817 16777215 100 100 20703494 48169843 0 0
# compatibility_mode=5891 16776870 42 92 66797 13202675 0 0
# compatibility_mode=8192 67108863 100 0 1847 1847 0 0
# scanned=581939
# found=10
# cleaned=10
# scan_time=5768
C:\Documents and Settings\Paul\Local Settings\Temp\ICReinstall\cnet2_unhackme_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Directory 1 for pdf2txtocrcmd.zip\pdf2txtocrcmd\pdf2txtocr.exe a variant of Win32/Packed.BoxedApp.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\IDYBF26Z\landing[1].php HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Paul\My Documents\Downloads\MIDI FILES\cnet2_MidiPianoSuite_v172_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Paul\My Documents\Downloads\MIDI FILES\cnet2_MidiPiano_216_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Paul\.clamwin\quarantine\testvirus.txt.infected Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Paul\.clamwin\quarantine\XvidSetup.exe.infected a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Paul\.clamwin\quarantine\XvidSetup.exe.infected.000.infected a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Paul\.clamwin\quarantine\XvidSetup.exe.infected.001.infected a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Paul\.clamwin\quarantine\XvidSetup.exe.infected.002.infected a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=bf55c15025c66845850b5bdce87ee19c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-24 02:15:49
# local_time=2012-08-24 03:15:49 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 11321735 11321735 0 0
# compatibility_mode=2817 16777215 100 100 21043058 48509407 0 0
# compatibility_mode=5891 16776869 42 92 0 13542239 0 0
# compatibility_mode=8192 67108863 100 0 341411 341411 0 0
# scanned=587075
# found=0
# cleaned=0
# scan_time=6457
======================================================================
-
Thank you. All seems good.
On a down note, the Firefox problem has returned however, I have shed new light on the problem of my downloaded .EXE files becoming corrupted. Even after undertaking the above diagnostic procedures, the problem still persists. I am unable to execute any (or so it seems) .EXE file that I download onto my primary hard drive. Windows returns a 'corrupted file' error messege.
However, I was able to download and execute the same files onto drive D: without any problems. Is this a symptom of malware or should I now focus my attention elsewhere?
A CHKSDK of drive C: showed no discernible problems save for a few minor inconsistencies which were rectified.
As far as malware is concerned, is it safe to assume all is well now?
Thank you.
-
2012-08-22 15:36:21 . 2012-08-22 15:36:21 596 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-UnHackMe Monitor.reg.dat
2012-08-22 15:36:21 . 2012-08-22 15:36:21 630 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Freecorder FLV Service.reg.dat
2012-08-22 15:36:21 . 2012-08-22 15:36:21 674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DivX Download Manager.reg.dat
2012-08-22 15:36:20 . 2012-08-22 15:36:20 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WudfRd.reg.dat
2012-08-22 15:36:20 . 2012-08-22 15:36:20 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WudfPf.reg.dat
2012-08-22 15:33:13 . 2012-08-22 15:33:13 8,063 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-08-22 15:23:08 . 2012-08-22 15:23:08 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-07-28 03:25:34 . 2012-07-28 03:25:34 24 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\find.tmp.vir
2012-07-28 03:25:31 . 2012-07-28 03:25:31 0 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%~dpn1.tmp.vir
2012-07-28 03:25:28 . 2012-07-28 03:25:28 75 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%%~nf.tmp.vir
2012-07-28 03:25:27 . 2012-07-28 03:25:27 3 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\ftpscr.tmp.vir
2012-07-27 18:17:26 . 2012-07-28 03:25:45 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\output.tmp.vir
2012-07-27 17:26:37 . 2012-07-27 17:30:00 27 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%%~a.tmp.vir
2012-07-27 17:26:37 . 2012-07-28 03:25:09 4 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%%~fa.tmp.vir
2012-07-27 16:23:45 . 2012-07-27 16:24:57 4 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%FILES~1.TMP.vir
2012-04-17 16:22:12 . 2012-04-17 16:23:33 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\file.tmp.vir
2012-04-13 21:14:42 . 2012-04-13 21:14:42 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\27674015\.tmp.vir
2012-04-13 21:09:53 . 2012-04-13 21:20:10 93,670 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\27674015\120415-1.txt.vir
2012-04-13 20:59:27 . 2012-04-13 21:19:49 258 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\27674015\27674015.bat.vir
2012-03-30 17:39:39 . 2012-03-30 17:39:39 36 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\textfile14.txt.tmp.vir
2012-03-29 04:47:05 . 2012-03-29 04:47:05 193 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\pipe-delimited-file.txt.tmp.vir
2012-03-28 07:15:46 . 2012-03-28 07:15:58 66 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\%~fa.tmp.vir
2012-03-27 21:34:01 . 2012-03-27 21:34:01 58 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%fa.tmp.vir
2012-03-26 22:31:42 . 2012-03-26 22:31:42 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\tt..tmp.vir
2012-03-23 07:43:11 . 2012-07-30 14:46:32 32,718 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\exclude.tmp.vir
2012-03-23 07:37:45 . 2012-03-23 07:37:45 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\zzz.tmp.vir
2012-03-11 14:59:41 . 2012-03-11 14:59:41 4,593 ----a-w- C:\Qoobox\Quarantine\C\ipconfig.txt.vir
2012-03-07 19:22:49 . 2012-03-07 19:22:49 723 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\real.txt.vir
2012-03-03 03:02:15 . 2012-03-03 03:20:28 95 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\sizes.tmp.vir
2012-03-01 13:28:03 . 2012-03-01 13:28:03 26 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\test.tmp.vir
2012-01-25 01:21:28 . 2012-01-25 01:04:08 1,179,648 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\sfk164.exe.vir
2012-01-24 19:46:12 . 2012-01-24 21:12:27 19,435 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\lotto.tmp.vir
2012-01-24 19:09:23 . 2012-01-24 19:17:23 194,577 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\lotto.csv-.tmp.vir
2012-01-24 19:09:23 . 2012-01-24 19:17:23 193 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\lotto2.csv.tmp.vir
2012-01-17 04:00:16 . 2012-01-17 04:00:58 8 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\1234.txt.vir
2012-01-09 13:25:24 . 2012-01-10 19:54:29 1,062 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\netview.tmp.vir
2012-01-06 00:04:28 . 2012-01-06 00:25:04 48,159 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\output3.tmp.vir
2012-01-05 23:44:11 . 2012-01-05 23:57:16 78,077 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\output2.tmp.vir
2012-01-02 00:17:21 . 2012-01-07 02:37:00 912 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\31.bat.vir
2011-12-17 17:01:11 . 2011-11-13 13:18:44 3,492,658 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\01.mp3.vir
2011-09-16 10:34:48 . 2011-06-19 09:20:00 1,155,072 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\sfk.exe.vir
2011-06-07 12:23:17 . 2008-03-19 15:22:42 7 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\win.dll.vir
2011-06-07 12:23:16 . 2006-10-12 18:52:54 180,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ijl11.dll.vir
2010-11-30 18:29:46 . 2010-11-30 18:29:46 8,192 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\Favorites\Thumbs.db.vir
2010-10-18 16:15:16 . 2008-04-14 04:42:18 294,912 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\dlimport.exe.vir
2010-09-17 17:08:13 . 2010-09-17 17:08:13 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.local.vir
2010-09-17 17:08:13 . 2003-02-21 03:42:22 348,160 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\msvcr71.dll.vir
2010-09-17 17:08:13 . 2003-02-20 18:06:24 155,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.vir
2010-09-17 17:08:13 . 2003-02-20 18:09:18 77,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorsn.dll.vir
2010-09-17 17:08:13 . 2003-02-20 18:08:32 2,482,176 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorwks.dll.vir
2010-09-17 17:08:13 . 2003-02-20 18:06:20 282,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\fusion.dll.vir
2003-02-21 04:16:08 . 2003-02-21 04:16:08 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\regtlib.exe.vir
1998-05-24 23:00:00 . 1998-05-24 23:00:00 84,225 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system\VI30AUT.DLL.vir
-
Before I continue, I would like to say you, and people like yourself are providing a wonderful service. What would be required for me to help provide the same service to others?
Okay, I have a few concerns.
I do not know how ComboFix decides which files are risky however, looking through ComboFix.txt, I note there are entries which may appear sinister to a casual observer however, the following files in BLUE are infact created by myself and are accounted for:
=========================================================================
ComboFix 12-08-22.01 - Paul 22/08/2012 16:25:10.1.6 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3325.2629 [GMT 1:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Paul\%%~a.tmp
c:\documents and settings\Paul\%%~fa.tmp
c:\documents and settings\Paul\%%~nf.tmp
c:\documents and settings\Paul\%~dpn1.tmp
c:\documents and settings\Paul\%~fa.tmp
c:\documents and settings\Paul\%fa.tmp
c:\documents and settings\Paul\%files[name]%.tmp
c:\documents and settings\Paul\01.mp3
c:\documents and settings\Paul\1234.txt
c:\documents and settings\Paul\27674015
c:\documents and settings\Paul\27674015\.tmp
c:\documents and settings\Paul\27674015\120415-1.txt
c:\documents and settings\Paul\27674015\27674015.bat
c:\documents and settings\Paul\31.bat
c:\documents and settings\Paul\exclude.tmp
c:\documents and settings\Paul\Favorites\Thumbs.db
c:\documents and settings\Paul\file.tmp
c:\documents and settings\Paul\find.tmp
c:\documents and settings\Paul\ftpscr.tmp
c:\documents and settings\Paul\lotto.csv-.tmp
c:\documents and settings\Paul\lotto.tmp
c:\documents and settings\Paul\lotto2.csv.tmp
c:\documents and settings\Paul\netview.tmp
c:\documents and settings\Paul\output.tmp
c:\documents and settings\Paul\output2.tmp
c:\documents and settings\Paul\output3.tmp
c:\documents and settings\Paul\pipe-delimited-file.txt.tmp
c:\documents and settings\Paul\real.txt
c:\documents and settings\Paul\sfk.exe
c:\documents and settings\Paul\sfk164.exe
c:\documents and settings\Paul\sizes.tmp
c:\documents and settings\Paul\test.tmp
c:\documents and settings\Paul\textfile14.txt.tmp
c:\documents and settings\Paul\tt..tmp
c:\documents and settings\Paul\zzz.tmp
C:\ipconfig.txt
c:\windows\system\VI30AUT.DLL
c:\windows\system32\Cache
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\ijl11.dll
c:\windows\system32\SystemFiles
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\win.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-22 to 2012-08-22 )))))))))))))))))))))))))))))))
.
.
2012-08-22 01:23 . 2012-08-22 01:23 -------- d-----w- c:\documents and settings\Paul\New Folder
2012-08-22 00:30 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2A06E28-1B34-4495-9DF2-5F20743B0A9A}\mpengine.dll
2012-08-21 01:42 . 2012-08-21 01:47 -------- d-----w- C:\tdskiller
2012-08-21 00:31 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-20 20:21 . 2012-08-20 20:21 -------- d-----w- C:\DriveKey
2012-08-20 13:38 . 2012-08-20 13:38 -------- d-----w- c:\program files\ESET
2012-08-20 11:49 . 2012-08-20 11:50 -------- d-----w- c:\program files\CamStudio 2.6b
2012-08-20 11:49 . 2010-10-23 23:56 49664 ----a-w- c:\windows\system32\CamCodec.dll
2012-08-17 10:53 . 2012-08-17 10:53 -------- d-----w- c:\program files\SDA
2012-08-17 10:53 . 2012-08-17 10:53 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Downloaded Installations
2012-08-10 21:41 . 2012-08-10 21:41 -------- d-----w- c:\program files\Advanced Port Scanner
2012-08-09 18:46 . 2012-08-10 02:07 -------- d-----w- C:\TOSHIBAL100
2012-08-07 16:46 . 2012-08-07 16:46 -------- d-----w- C:\orig2
2012-07-31 00:03 . 2012-07-31 00:03 855 ----a-w- c:\documents and settings\Paul\search100b.bat
2012-07-30 14:46 . 2012-07-30 14:46 -------- d---a-w- C:\tttt
2012-07-30 14:38 . 2012-07-30 14:41 125 ----a-w- c:\documents and settings\Paul\excludexcopy.bat
2012-07-27 16:15 . 2012-07-30 13:45 901 ----a-w- c:\documents and settings\Paul\search100.bat
2012-07-27 06:37 . 2012-07-27 06:43 120 ----a-w- c:\documents and settings\Paul\findenterprise.bat
2012-07-27 06:37 . 2012-07-27 06:37 492 ----a-w- c:\documents and settings\Paul\find enterprise.bat
2012-07-27 06:02 . 2012-07-27 06:20 433 ----a-w- c:\documents and settings\Paul\findfolder.bat
2012-07-27 05:32 . 2012-07-27 05:38 207 ----a-w- c:\documents and settings\Paul\maklgmulttab.bat
2012-07-26 22:55 . 2012-07-26 23:15 267 ----a-w- c:\documents and settings\Paul\findregitem.bat
2012-07-26 22:24 . 2012-07-26 22:24 42441800 ----a-w- c:\documents and settings\Paul\EE reg-orig.reg
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-28 03:25 . 2012-01-14 11:27 740 ----a-w- c:\documents and settings\Paul\tt.vbs
2012-07-28 03:25 . 2012-01-18 00:26 264 ----a-w- c:\documents and settings\Paul\refreshxls.vbs
2012-07-23 01:08 . 2012-01-09 00:48 3135 ----a-w- c:\documents and settings\Paul\tstmenu2.bat
2012-07-21 22:08 . 2012-07-20 20:40 1171 ----a-w- c:\documents and settings\Paul\progressxcopy.bat
2012-07-20 03:47 . 2012-07-20 02:17 1316 ----a-w- c:\documents and settings\Paul\xcopyfiles.bat
2012-07-20 02:48 . 2012-01-11 23:59 0 ----a-w- c:\documents and settings\Paul\TempWmicBatchFile.bat
2012-07-18 08:34 . 2012-07-18 08:34 1327 ----a-w- c:\documents and settings\Paul\obda.bat
2012-07-16 17:04 . 2012-07-16 17:04 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-16 17:04 . 2011-08-09 07:45 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 15:19 . 2012-07-15 15:19 7936 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2012-07-06 13:58 . 2010-09-17 15:32 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-05 13:38 . 2012-07-05 13:13 519919451 ----a-w- C:\DeletedConduit.zip
2012-07-04 14:05 . 2009-01-02 20:04 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2001-08-23 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-03 12:46 . 2011-02-04 18:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-02 17:49 . 2010-09-17 15:39 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2010-09-17 15:35 43520 ------w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2010-09-17 15:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2010-09-17 21:14 385024 ------w- c:\windows\system32\html.iec
2012-06-06 19:59 . 2012-06-06 19:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-05 15:50 . 2010-10-18 16:17 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2010-09-17 15:36 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 16:35 . 2010-09-17 21:14 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-04 16:35 . 2009-08-06 19:23 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2001-08-23 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-03 00:17 . 2012-07-18 08:08 56 ----a-w- c:\documents and settings\Paul\TEST1.COM
2012-06-02 14:19 . 2010-11-24 21:08 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2010-11-24 21:08 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2010-09-17 21:14 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2010-09-17 21:14 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2012-07-17 06:35 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2010-11-24 21:08 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2010-09-17 21:14 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2010-09-17 15:39 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2010-09-17 15:32 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2010-11-24 21:08 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2010-09-17 21:14 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2010-09-17 15:39 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2011-11-29 14:14 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2011-11-29 14:14 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2010-09-17 15:32 599040 ----a-w- c:\windows\system32\crypt32.dll
2010-03-31 10:09 . 2010-03-31 10:09 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2010-04-08 12:36 . 2010-04-08 12:36 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2012-07-18 20:39 . 2011-09-08 12:07 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-15 15504192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^SmartVision.lnk]
path=c:\documents and settings\Paul\Start Menu\Programs\Startup\SmartVision.lnk
backup=c:\windows\pss\SmartVision.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-21 15:43 148776 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
2011-02-15 23:34 86016 ----a-w- c:\program files\ClamWin\bin\ClamTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R340 Series]
2006-12-26 04:00 177664 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-06-11 08:44 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2012-05-15 09:40 108352 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-05-23 23:14 421888 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-09-01 17:47 90448 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"WSearch"=2 (0x2)
"wscsvc"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"cisvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"gupdatem"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"Fabs"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Boxee\\BOXEE.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [15/07/2012 4:19 pm 7936]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [25/03/2010 9:49 am 82360]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [10/12/2011 3:51 pm 21992]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [23/08/2001 1:00 pm 14336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/02/2011 7:01 pm 655944]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [18/09/2010 8:48 am 22016]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/02/2011 7:01 pm 22344]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe /DisableUI --> c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2010 12:42 am 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/07/2012 6:08 pm 1691480]
S3 cg300;cg300VidCap;c:\windows\system32\drivers\cg300vc.sys [10/11/2010 2:59 am 13468]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [28/10/2011 1:04 am 23456]
S3 etdrv;etdrv;c:\windows\etdrv.sys [25/04/2011 9:03 pm 17488]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2010 12:42 am 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [26/04/2012 12:21 am 113120]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys --> c:\windows\system32\drivers\nvhda32.sys [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [18/09/2010 8:48 am 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [18/09/2010 8:48 am 17536]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [07/08/2008 12:10 pm 3276800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 23:42]
.
2012-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 23:42]
.
2012-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1715567821-839522115-1003Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-21 07:24]
.
2012-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1715567821-839522115-1003UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-21 07:24]
.
2012-08-22 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\fr9bboj4.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-DivX Download Manager - c:\program files\DivX\DivX Plus Web Player\DDmService.exe
MSConfigStartUp-Freecorder FLV Service - c:\program files\Freecorder\FLVSrvc.exe
MSConfigStartUp-UnHackMe Monitor - c:\program files\UnHackMe\hackmon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-22 16:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-08-22 16:37:13
ComboFix-quarantined-files.txt 2012-08-22 15:37
.
Pre-Run: 16,215,941,120 bytes free
Post-Run: 26,334,232,576 bytes free
.
- - End Of File - - D682DC4AA9B457209B465BBBDC1ED907
=========================================================================
I must recover 31.bat and tstmenu2.bat as these are brograms I am developing. Ideally, I would like to recover all the files marked blue.
-
Thank you for your assistance.
Following your guidance above, I have attached the requested files.
Oh, I started Firefox and it started normally this time. Wow! It has been playing up for the past month or so. When I start it it opens and closes immediately. Then I would need to start it again. However, on this occasion, after rebooting, it seems normal again - it stayed open first time. Could the above actions have anyting to do with this? (although, I'm not sure it's not just one-off as I've only restarted Firefox this once so far).
Paul Tomasi
-
Thank you. Didn't realise I had to post in a specific forum.
-
I am convinced my computer is infected with 'something'.
When I download '.EXE' files and attempt to install them I receive a messege titled: 'Error' stating: 'The source file is corrupted'.
I did a scan of my system using Malwarebytes Anti-Malware 1.62.0.1300. My current database version is: v2012.08.21.04 so I attempted to update it.
A messege titled: 'Updating Malwarebutes Anti-Malware' states: 'Downloading v2012.08.21.08' '6,718.50 KB [100%]' but then I receive another messege stating the following:
An error has occured. Please report this issue to our support team...
PROGRAM_ERROR_UPDATING (0, 0, Corrupt transfer)
I have Windows' standard firewall running. I do not have background anti-virus software.
My concern is, something in the background may be interfering with .EXE downloads or executions.
I have attached copies of DDS.TXT and ATTACH.TXT.
Thank you for any assistance you may offer
-
I am convinced my computer is infected with 'something'.
When I download '.EXE' files and attempt to install them I receive a messege titled: 'Error' stating: 'The source file is corrupted'.
I did a scan of my system using Malwarebytes Anti-Malware 1.62.0.1300. My current database version is: v2012.08.21.04 so I attempted to update it.
A messege titled: 'Updating Malwarebutes Anti-Malware' states: 'Downloading v2012.08.21.08' '6,718.50 KB [100%]' but then I receive another messege stating the following:
An error has occured. Please report this issue to our support team...
PROGRAM_ERROR_UPDATING (0, 0, Corrupt transfer)
I have Windows' standard firewall running. I do not have background anti-virus software.
My concern is, something in the background may be interfering with .EXE downloads or executions.
I have attached copies of DDS.TXT and ATTACH.TXT.
Thank you for any assistance you may offer.
PROGRAM_ERROR_UPDATING (0, 0, Corrupt transfer)
in Resolved Malware Removal Logs
Posted
The Firefox issue is still intermittent however, I'm exploring the possibility it could be due to corrupted files, corrupted disk space, the volume of instances of FF and tabs constantly open and compatibility issues with FF plugins and activeX components.
I have PM'd you the link as requested. Please comment wherever you see fit.
Thank you.
PS, speed and functionality was never an issue (save for the Firefox thing) so it's difficult to guage any other effect at this early time.