Jump to content

paultomasi

Members
  • Posts

    9
  • Joined

  • Last visited

Posts posted by paultomasi

  1. The Firefox issue is still intermittent however, I'm exploring the possibility it could be due to corrupted files, corrupted disk space, the volume of instances of FF and tabs constantly open and compatibility issues with FF plugins and activeX components.

    I have PM'd you the link as requested. Please comment wherever you see fit.

    Thank you.

    PS, speed and functionality was never an issue (save for the Firefox thing) so it's difficult to guage any other effect at this early time.

  2. Dear Maniac

    I don't think we're going to find anything ugly on my computer and that scares me even more. It would be satisfying to know something malicious has been eradicated.

    The only two entries in RKILL are:

    * C:\WINDOWS\system32\Ati2evxx.exe (PID: 1080) [WD-HEUR]

    * C:\WINDOWS\system32\Ati2evxx.exe (PID: 1440) [WD-HEUR]

    ESET returned less than that!

    All very worrying to say it's rare I use either a firewall or background antivirus program although, even though I am very paranoid about viral infections. All I can assume is my surfing habits are probably 'safer' than the average surfer (although your opinion might differ on this having laid out personal details about my computer).

    Where do we go from here?

    ======================================================================

    ESETSmartInstaller@High as CAB hook log:

    OnlineScanner.ocx - registred OK

    # version=7

    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

    # OnlineScanner.ocx=1.0.0.6583

    # api_version=3.0.2

    # EOSSerial=bf55c15025c66845850b5bdce87ee19c

    # end=finished

    # remove_checked=true

    # archives_checked=false

    # unwanted_checked=true

    # unsafe_checked=false

    # antistealth_checked=true

    # utc_time=2012-08-20 03:44:54

    # local_time=2012-08-20 04:44:54 (+0000, GMT Daylight Time)

    # country="United Kingdom"

    # lang=1033

    # osver=5.1.2600 NT Service Pack 3

    # compatibility_mode=512 16777215 100 0 10982171 10982171 0 0

    # compatibility_mode=2817 16777215 100 100 20703494 48169843 0 0

    # compatibility_mode=5891 16776870 42 92 66797 13202675 0 0

    # compatibility_mode=8192 67108863 100 0 1847 1847 0 0

    # scanned=581939

    # found=10

    # cleaned=10

    # scan_time=5768

    C:\Documents and Settings\Paul\Local Settings\Temp\ICReinstall\cnet2_unhackme_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Directory 1 for pdf2txtocrcmd.zip\pdf2txtocrcmd\pdf2txtocr.exe a variant of Win32/Packed.BoxedApp.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\IDYBF26Z\landing[1].php HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\Paul\My Documents\Downloads\MIDI FILES\cnet2_MidiPianoSuite_v172_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\Paul\My Documents\Downloads\MIDI FILES\cnet2_MidiPiano_216_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    D:\Documents and Settings\Paul\.clamwin\quarantine\testvirus.txt.infected Eicar test file (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    D:\Documents and Settings\Paul\.clamwin\quarantine\XvidSetup.exe.infected a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    D:\Documents and Settings\Paul\.clamwin\quarantine\XvidSetup.exe.infected.000.infected a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    D:\Documents and Settings\Paul\.clamwin\quarantine\XvidSetup.exe.infected.001.infected a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    D:\Documents and Settings\Paul\.clamwin\quarantine\XvidSetup.exe.infected.002.infected a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    # version=7

    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

    # OnlineScanner.ocx=1.0.0.6583

    # api_version=3.0.2

    # EOSSerial=bf55c15025c66845850b5bdce87ee19c

    # end=finished

    # remove_checked=true

    # archives_checked=false

    # unwanted_checked=true

    # unsafe_checked=false

    # antistealth_checked=true

    # utc_time=2012-08-24 02:15:49

    # local_time=2012-08-24 03:15:49 (+0000, GMT Daylight Time)

    # country="United Kingdom"

    # lang=1033

    # osver=5.1.2600 NT Service Pack 3

    # compatibility_mode=512 16777215 100 0 11321735 11321735 0 0

    # compatibility_mode=2817 16777215 100 100 21043058 48509407 0 0

    # compatibility_mode=5891 16776869 42 92 0 13542239 0 0

    # compatibility_mode=8192 67108863 100 0 341411 341411 0 0

    # scanned=587075

    # found=0

    # cleaned=0

    # scan_time=6457

    ======================================================================

  3. Thank you. All seems good.

    On a down note, the Firefox problem has returned however, I have shed new light on the problem of my downloaded .EXE files becoming corrupted. Even after undertaking the above diagnostic procedures, the problem still persists. I am unable to execute any (or so it seems) .EXE file that I download onto my primary hard drive. Windows returns a 'corrupted file' error messege.

    However, I was able to download and execute the same files onto drive D: without any problems. Is this a symptom of malware or should I now focus my attention elsewhere?

    A CHKSDK of drive C: showed no discernible problems save for a few minor inconsistencies which were rectified.

    As far as malware is concerned, is it safe to assume all is well now?

    Thank you.

  4. 2012-08-22 15:36:21 . 2012-08-22 15:36:21 596 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-UnHackMe Monitor.reg.dat

    2012-08-22 15:36:21 . 2012-08-22 15:36:21 630 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Freecorder FLV Service.reg.dat

    2012-08-22 15:36:21 . 2012-08-22 15:36:21 674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DivX Download Manager.reg.dat

    2012-08-22 15:36:20 . 2012-08-22 15:36:20 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WudfRd.reg.dat

    2012-08-22 15:36:20 . 2012-08-22 15:36:20 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WudfPf.reg.dat

    2012-08-22 15:33:13 . 2012-08-22 15:33:13 8,063 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

    2012-08-22 15:23:08 . 2012-08-22 15:23:08 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

    2012-07-28 03:25:34 . 2012-07-28 03:25:34 24 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\find.tmp.vir

    2012-07-28 03:25:31 . 2012-07-28 03:25:31 0 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%~dpn1.tmp.vir

    2012-07-28 03:25:28 . 2012-07-28 03:25:28 75 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%%~nf.tmp.vir

    2012-07-28 03:25:27 . 2012-07-28 03:25:27 3 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\ftpscr.tmp.vir

    2012-07-27 18:17:26 . 2012-07-28 03:25:45 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\output.tmp.vir

    2012-07-27 17:26:37 . 2012-07-27 17:30:00 27 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%%~a.tmp.vir

    2012-07-27 17:26:37 . 2012-07-28 03:25:09 4 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%%~fa.tmp.vir

    2012-07-27 16:23:45 . 2012-07-27 16:24:57 4 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%FILES~1.TMP.vir

    2012-04-17 16:22:12 . 2012-04-17 16:23:33 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\file.tmp.vir

    2012-04-13 21:14:42 . 2012-04-13 21:14:42 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\27674015\.tmp.vir

    2012-04-13 21:09:53 . 2012-04-13 21:20:10 93,670 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\27674015\120415-1.txt.vir

    2012-04-13 20:59:27 . 2012-04-13 21:19:49 258 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\27674015\27674015.bat.vir

    2012-03-30 17:39:39 . 2012-03-30 17:39:39 36 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\textfile14.txt.tmp.vir

    2012-03-29 04:47:05 . 2012-03-29 04:47:05 193 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\pipe-delimited-file.txt.tmp.vir

    2012-03-28 07:15:46 . 2012-03-28 07:15:58 66 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\%~fa.tmp.vir

    2012-03-27 21:34:01 . 2012-03-27 21:34:01 58 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\Paul\%fa.tmp.vir

    2012-03-26 22:31:42 . 2012-03-26 22:31:42 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\tt..tmp.vir

    2012-03-23 07:43:11 . 2012-07-30 14:46:32 32,718 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\exclude.tmp.vir

    2012-03-23 07:37:45 . 2012-03-23 07:37:45 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\zzz.tmp.vir

    2012-03-11 14:59:41 . 2012-03-11 14:59:41 4,593 ----a-w- C:\Qoobox\Quarantine\C\ipconfig.txt.vir

    2012-03-07 19:22:49 . 2012-03-07 19:22:49 723 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\real.txt.vir

    2012-03-03 03:02:15 . 2012-03-03 03:20:28 95 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\sizes.tmp.vir

    2012-03-01 13:28:03 . 2012-03-01 13:28:03 26 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\test.tmp.vir

    2012-01-25 01:21:28 . 2012-01-25 01:04:08 1,179,648 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\sfk164.exe.vir

    2012-01-24 19:46:12 . 2012-01-24 21:12:27 19,435 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\lotto.tmp.vir

    2012-01-24 19:09:23 . 2012-01-24 19:17:23 194,577 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\lotto.csv-.tmp.vir

    2012-01-24 19:09:23 . 2012-01-24 19:17:23 193 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\lotto2.csv.tmp.vir

    2012-01-17 04:00:16 . 2012-01-17 04:00:58 8 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\1234.txt.vir

    2012-01-09 13:25:24 . 2012-01-10 19:54:29 1,062 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\netview.tmp.vir

    2012-01-06 00:04:28 . 2012-01-06 00:25:04 48,159 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\output3.tmp.vir

    2012-01-05 23:44:11 . 2012-01-05 23:57:16 78,077 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\output2.tmp.vir

    2012-01-02 00:17:21 . 2012-01-07 02:37:00 912 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\31.bat.vir

    2011-12-17 17:01:11 . 2011-11-13 13:18:44 3,492,658 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\01.mp3.vir

    2011-09-16 10:34:48 . 2011-06-19 09:20:00 1,155,072 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\sfk.exe.vir

    2011-06-07 12:23:17 . 2008-03-19 15:22:42 7 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\win.dll.vir

    2011-06-07 12:23:16 . 2006-10-12 18:52:54 180,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ijl11.dll.vir

    2010-11-30 18:29:46 . 2010-11-30 18:29:46 8,192 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Paul\Favorites\Thumbs.db.vir

    2010-10-18 16:15:16 . 2008-04-14 04:42:18 294,912 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\dlimport.exe.vir

    2010-09-17 17:08:13 . 2010-09-17 17:08:13 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.local.vir

    2010-09-17 17:08:13 . 2003-02-21 03:42:22 348,160 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\msvcr71.dll.vir

    2010-09-17 17:08:13 . 2003-02-20 18:06:24 155,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.vir

    2010-09-17 17:08:13 . 2003-02-20 18:09:18 77,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorsn.dll.vir

    2010-09-17 17:08:13 . 2003-02-20 18:08:32 2,482,176 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorwks.dll.vir

    2010-09-17 17:08:13 . 2003-02-20 18:06:20 282,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\fusion.dll.vir

    2003-02-21 04:16:08 . 2003-02-21 04:16:08 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\regtlib.exe.vir

    1998-05-24 23:00:00 . 1998-05-24 23:00:00 84,225 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system\VI30AUT.DLL.vir

  5. Before I continue, I would like to say you, and people like yourself are providing a wonderful service. What would be required for me to help provide the same service to others?

    Okay, I have a few concerns.

    I do not know how ComboFix decides which files are risky however, looking through ComboFix.txt, I note there are entries which may appear sinister to a casual observer however, the following files in BLUE are infact created by myself and are accounted for:

    =========================================================================

    ComboFix 12-08-22.01 - Paul 22/08/2012 16:25:10.1.6 - x86

    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3325.2629 [GMT 1:00]

    Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe

    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

    .

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    c:\documents and settings\All Users\Application Data\TEMP

    c:\documents and settings\Paul\%%~a.tmp

    c:\documents and settings\Paul\%%~fa.tmp

    c:\documents and settings\Paul\%%~nf.tmp

    c:\documents and settings\Paul\%~dpn1.tmp

    c:\documents and settings\Paul\%~fa.tmp

    c:\documents and settings\Paul\%fa.tmp

    c:\documents and settings\Paul\%files[name]%.tmp

    c:\documents and settings\Paul\01.mp3

    c:\documents and settings\Paul\1234.txt

    c:\documents and settings\Paul\27674015

    c:\documents and settings\Paul\27674015\.tmp

    c:\documents and settings\Paul\27674015\120415-1.txt

    c:\documents and settings\Paul\27674015\27674015.bat

    c:\documents and settings\Paul\31.bat

    c:\documents and settings\Paul\exclude.tmp

    c:\documents and settings\Paul\Favorites\Thumbs.db

    c:\documents and settings\Paul\file.tmp

    c:\documents and settings\Paul\find.tmp

    c:\documents and settings\Paul\ftpscr.tmp

    c:\documents and settings\Paul\lotto.csv-.tmp

    c:\documents and settings\Paul\lotto.tmp

    c:\documents and settings\Paul\lotto2.csv.tmp

    c:\documents and settings\Paul\netview.tmp

    c:\documents and settings\Paul\output.tmp

    c:\documents and settings\Paul\output2.tmp

    c:\documents and settings\Paul\output3.tmp

    c:\documents and settings\Paul\pipe-delimited-file.txt.tmp

    c:\documents and settings\Paul\real.txt

    c:\documents and settings\Paul\sfk.exe

    c:\documents and settings\Paul\sfk164.exe

    c:\documents and settings\Paul\sizes.tmp

    c:\documents and settings\Paul\test.tmp

    c:\documents and settings\Paul\textfile14.txt.tmp

    c:\documents and settings\Paul\tt..tmp

    c:\documents and settings\Paul\zzz.tmp

    C:\ipconfig.txt

    c:\windows\system\VI30AUT.DLL

    c:\windows\system32\Cache

    c:\windows\system32\dllcache\dlimport.exe

    c:\windows\system32\ijl11.dll

    c:\windows\system32\SystemFiles

    c:\windows\system32\URTTemp

    c:\windows\system32\URTTemp\fusion.dll

    c:\windows\system32\URTTemp\mscoree.dll

    c:\windows\system32\URTTemp\mscoree.dll.local

    c:\windows\system32\URTTemp\mscorsn.dll

    c:\windows\system32\URTTemp\mscorwks.dll

    c:\windows\system32\URTTemp\msvcr71.dll

    c:\windows\system32\URTTemp\regtlib.exe

    c:\windows\system32\win.dll

    .

    .

    ((((((((((((((((((((((((( Files Created from 2012-07-22 to 2012-08-22 )))))))))))))))))))))))))))))))

    .

    .

    2012-08-22 01:23 . 2012-08-22 01:23 -------- d-----w- c:\documents and settings\Paul\New Folder

    2012-08-22 00:30 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2A06E28-1B34-4495-9DF2-5F20743B0A9A}\mpengine.dll

    2012-08-21 01:42 . 2012-08-21 01:47 -------- d-----w- C:\tdskiller

    2012-08-21 00:31 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

    2012-08-20 20:21 . 2012-08-20 20:21 -------- d-----w- C:\DriveKey

    2012-08-20 13:38 . 2012-08-20 13:38 -------- d-----w- c:\program files\ESET

    2012-08-20 11:49 . 2012-08-20 11:50 -------- d-----w- c:\program files\CamStudio 2.6b

    2012-08-20 11:49 . 2010-10-23 23:56 49664 ----a-w- c:\windows\system32\CamCodec.dll

    2012-08-17 10:53 . 2012-08-17 10:53 -------- d-----w- c:\program files\SDA

    2012-08-17 10:53 . 2012-08-17 10:53 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Downloaded Installations

    2012-08-10 21:41 . 2012-08-10 21:41 -------- d-----w- c:\program files\Advanced Port Scanner

    2012-08-09 18:46 . 2012-08-10 02:07 -------- d-----w- C:\TOSHIBAL100

    2012-08-07 16:46 . 2012-08-07 16:46 -------- d-----w- C:\orig2

    2012-07-31 00:03 . 2012-07-31 00:03 855 ----a-w- c:\documents and settings\Paul\search100b.bat

    2012-07-30 14:46 . 2012-07-30 14:46 -------- d---a-w- C:\tttt

    2012-07-30 14:38 . 2012-07-30 14:41 125 ----a-w- c:\documents and settings\Paul\excludexcopy.bat

    2012-07-27 16:15 . 2012-07-30 13:45 901 ----a-w- c:\documents and settings\Paul\search100.bat

    2012-07-27 06:37 . 2012-07-27 06:43 120 ----a-w- c:\documents and settings\Paul\findenterprise.bat

    2012-07-27 06:37 . 2012-07-27 06:37 492 ----a-w- c:\documents and settings\Paul\find enterprise.bat

    2012-07-27 06:02 . 2012-07-27 06:20 433 ----a-w- c:\documents and settings\Paul\findfolder.bat

    2012-07-27 05:32 . 2012-07-27 05:38 207 ----a-w- c:\documents and settings\Paul\maklgmulttab.bat

    2012-07-26 22:55 . 2012-07-26 23:15 267 ----a-w- c:\documents and settings\Paul\findregitem.bat

    2012-07-26 22:24 . 2012-07-26 22:24 42441800 ----a-w- c:\documents and settings\Paul\EE reg-orig.reg

    .

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2012-07-28 03:25 . 2012-01-14 11:27 740 ----a-w- c:\documents and settings\Paul\tt.vbs

    2012-07-28 03:25 . 2012-01-18 00:26 264 ----a-w- c:\documents and settings\Paul\refreshxls.vbs

    2012-07-23 01:08 . 2012-01-09 00:48 3135 ----a-w- c:\documents and settings\Paul\tstmenu2.bat

    2012-07-21 22:08 . 2012-07-20 20:40 1171 ----a-w- c:\documents and settings\Paul\progressxcopy.bat

    2012-07-20 03:47 . 2012-07-20 02:17 1316 ----a-w- c:\documents and settings\Paul\xcopyfiles.bat

    2012-07-20 02:48 . 2012-01-11 23:59 0 ----a-w- c:\documents and settings\Paul\TempWmicBatchFile.bat

    2012-07-18 08:34 . 2012-07-18 08:34 1327 ----a-w- c:\documents and settings\Paul\obda.bat

    2012-07-16 17:04 . 2012-07-16 17:04 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

    2012-07-16 17:04 . 2011-08-09 07:45 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

    2012-07-15 15:19 . 2012-07-15 15:19 7936 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS

    2012-07-06 13:58 . 2010-09-17 15:32 78336 ----a-w- c:\windows\system32\browser.dll

    2012-07-05 13:38 . 2012-07-05 13:13 519919451 ----a-w- C:\DeletedConduit.zip

    2012-07-04 14:05 . 2009-01-02 20:04 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

    2012-07-03 13:40 . 2001-08-23 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys

    2012-07-03 12:46 . 2011-02-04 18:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

    2012-07-02 17:49 . 2010-09-17 15:39 916992 ----a-w- c:\windows\system32\wininet.dll

    2012-07-02 17:49 . 2010-09-17 15:35 43520 ------w- c:\windows\system32\licmgr10.dll

    2012-07-02 17:49 . 2010-09-17 15:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

    2012-07-02 12:05 . 2010-09-17 21:14 385024 ------w- c:\windows\system32\html.iec

    2012-06-06 19:59 . 2012-06-06 19:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX

    2012-06-05 15:50 . 2010-10-18 16:17 1372672 ----a-w- c:\windows\system32\msxml6.dll

    2012-06-05 15:50 . 2010-09-17 15:36 1172480 ----a-w- c:\windows\system32\msxml3.dll

    2012-06-04 16:35 . 2010-09-17 21:14 210968 ----a-w- c:\windows\system32\wuweb.dll

    2012-06-04 16:35 . 2009-08-06 19:23 222448 ----a-w- c:\windows\system32\muweb.dll

    2012-06-04 04:32 . 2001-08-23 12:00 152576 ----a-w- c:\windows\system32\schannel.dll

    2012-06-03 00:17 . 2012-07-18 08:08 56 ----a-w- c:\documents and settings\Paul\TEST1.COM

    2012-06-02 14:19 . 2010-11-24 21:08 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

    2012-06-02 14:19 . 2010-11-24 21:08 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

    2012-06-02 14:19 . 2010-09-17 21:14 329240 ----a-w- c:\windows\system32\wucltui.dll

    2012-06-02 14:19 . 2010-09-17 21:14 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

    2012-06-02 14:19 . 2012-07-17 06:35 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

    2012-06-02 14:19 . 2010-11-24 21:08 45080 ----a-w- c:\windows\system32\wups2.dll

    2012-06-02 14:19 . 2010-09-17 21:14 35864 ----a-w- c:\windows\system32\wups.dll

    2012-06-02 14:19 . 2010-09-17 15:39 53784 ----a-w- c:\windows\system32\wuauclt.exe

    2012-06-02 14:19 . 2010-09-17 15:32 97304 ----a-w- c:\windows\system32\cdm.dll

    2012-06-02 14:19 . 2010-11-24 21:08 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

    2012-06-02 14:19 . 2010-09-17 21:14 577048 ----a-w- c:\windows\system32\wuapi.dll

    2012-06-02 14:19 . 2010-09-17 15:39 1933848 ----a-w- c:\windows\system32\wuaueng.dll

    2012-06-02 14:18 . 2011-11-29 14:14 275696 ----a-w- c:\windows\system32\mucltui.dll

    2012-06-02 14:18 . 2011-11-29 14:14 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

    2012-05-31 13:22 . 2010-09-17 15:32 599040 ----a-w- c:\windows\system32\crypt32.dll

    2010-03-31 10:09 . 2010-03-31 10:09 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

    2010-04-08 12:36 . 2010-04-08 12:36 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

    2012-07-18 20:39 . 2011-09-08 12:07 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

    2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll

    2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll

    2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll

    2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll

    .

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-15 15504192]

    .

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

    @="Service"

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

    @="Driver"

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

    @="Service"

    .

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    .

    [HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^SmartVision.lnk]

    path=c:\documents and settings\Paul\Start Menu\Programs\Startup\SmartVision.lnk

    backup=c:\windows\pss\SmartVision.lnkStartup

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

    2007-06-21 15:43 148776 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]

    2011-02-15 23:34 86016 ----a-w- c:\program files\ClamWin\bin\ClamTray.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

    2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R340 Series]

    2006-12-26 04:00 177664 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJE.EXE

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    2008-04-14 04:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

    2007-06-11 08:44 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

    2012-05-15 09:40 108352 ----a-w- c:\windows\system32\nvmctray.dll

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

    2011-05-23 23:14 421888 ----a-w- c:\program files\QuickTime\qttask.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]

    2011-09-01 17:47 90448 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

    2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

    "wuauserv"=2 (0x2)

    "WSearch"=2 (0x2)

    "wscsvc"=2 (0x2)

    "ose"=3 (0x3)

    "odserv"=3 (0x3)

    "NMIndexingService"=3 (0x3)

    "idsvc"=3 (0x3)

    "gusvc"=3 (0x3)

    "gupdate"=2 (0x2)

    "cisvc"=3 (0x3)

    "Bonjour Service"=2 (0x2)

    "gupdatem"=3 (0x3)

    "FirebirdServerMAGIXInstance"=3 (0x3)

    "Fabs"=2 (0x2)

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=

    "c:\\Program Files\\Boxee\\BOXEE.exe"=

    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

    "c:\\WINDOWS\\system32\\ftp.exe"=

    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    "c:\\eclipse\\eclipse.exe"=

    "c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

    "c:\\WINDOWS\\system32\\mmc.exe"=

    "c:\\WINDOWS\\system32\\mqsvc.exe"=

    "c:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe"=

    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping

    "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

    "AllowInboundEchoRequest"= 1 (0x1)

    .

    R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [15/07/2012 4:19 pm 7936]

    R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [25/03/2010 9:49 am 82360]

    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [10/12/2011 3:51 pm 21992]

    R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [23/08/2001 1:00 pm 14336]

    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/02/2011 7:01 pm 655944]

    R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [18/09/2010 8:48 am 22016]

    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/02/2011 7:01 pm 22344]

    S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe /DisableUI --> c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [?]

    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2010 12:42 am 136176]

    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/07/2012 6:08 pm 1691480]

    S3 cg300;cg300VidCap;c:\windows\system32\drivers\cg300vc.sys [10/11/2010 2:59 am 13468]

    S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [28/10/2011 1:04 am 23456]

    S3 etdrv;etdrv;c:\windows\etdrv.sys [25/04/2011 9:03 pm 17488]

    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2010 12:42 am 136176]

    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [26/04/2012 12:21 am 113120]

    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys --> c:\windows\system32\drivers\nvhda32.sys [?]

    S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]

    S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [18/09/2010 8:48 am 29440]

    S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [18/09/2010 8:48 am 17536]

    S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [07/08/2008 12:10 pm 3276800]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

    .

    Contents of the 'Scheduled Tasks' folder

    .

    2012-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 23:42]

    .

    2012-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 23:42]

    .

    2012-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1715567821-839522115-1003Core.job

    - c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-21 07:24]

    .

    2012-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1715567821-839522115-1003UA.job

    - c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-21 07:24]

    .

    2012-08-22 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 16:03]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://www.google.co.uk/

    uInternet Settings,ProxyOverride = *.local

    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100

    FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\fr9bboj4.default\

    FF - prefs.js: browser.search.selectedEngine -

    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

    FF - prefs.js: network.proxy.http - 127.0.0.1

    FF - prefs.js: network.proxy.http_port - 8118

    FF - prefs.js: network.proxy.socks - 127.0.0.1

    FF - prefs.js: network.proxy.socks_port - 9050

    FF - prefs.js: network.proxy.ssl - 127.0.0.1

    FF - prefs.js: network.proxy.ssl_port - 8118

    FF - prefs.js: network.proxy.type - 0

    .

    - - - - ORPHANS REMOVED - - - -

    .

    SafeBoot-WudfPf

    SafeBoot-WudfRd

    MSConfigStartUp-DivX Download Manager - c:\program files\DivX\DivX Plus Web Player\DDmService.exe

    MSConfigStartUp-Freecorder FLV Service - c:\program files\Freecorder\FLVSrvc.exe

    MSConfigStartUp-UnHackMe Monitor - c:\program files\UnHackMe\hackmon.exe

    .

    .

    .

    **************************************************************************

    .

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2012-08-22 16:35

    Windows 5.1.2600 Service Pack 3 NTFS

    .

    scanning hidden processes ...

    .

    scanning hidden autostart entries ...

    .

    scanning hidden files ...

    .

    scan completed successfully

    hidden files: 0

    .

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    .

    - - - - - - - > 'winlogon.exe'(856)

    c:\windows\system32\Ati2evxx.dll

    .

    Completion time: 2012-08-22 16:37:13

    ComboFix-quarantined-files.txt 2012-08-22 15:37

    .

    Pre-Run: 16,215,941,120 bytes free

    Post-Run: 26,334,232,576 bytes free

    .

    - - End Of File - - D682DC4AA9B457209B465BBBDC1ED907

    =========================================================================

    I must recover 31.bat and tstmenu2.bat as these are brograms I am developing. Ideally, I would like to recover all the files marked blue.

  6. Thank you for your assistance.

    Following your guidance above, I have attached the requested files.

    Oh, I started Firefox and it started normally this time. Wow! It has been playing up for the past month or so. When I start it it opens and closes immediately. Then I would need to start it again. However, on this occasion, after rebooting, it seems normal again - it stayed open first time. Could the above actions have anyting to do with this? (although, I'm not sure it's not just one-off as I've only restarted Firefox this once so far).

    Paul Tomasi

    mbam.txt

    Rkill.txt

    dds.txt

    attach.txt

  7. I am convinced my computer is infected with 'something'.

    When I download '.EXE' files and attempt to install them I receive a messege titled: 'Error' stating: 'The source file is corrupted'.

    I did a scan of my system using Malwarebytes Anti-Malware 1.62.0.1300. My current database version is: v2012.08.21.04 so I attempted to update it.

    A messege titled: 'Updating Malwarebutes Anti-Malware' states: 'Downloading v2012.08.21.08' '6,718.50 KB [100%]' but then I receive another messege stating the following:

    An error has occured. Please report this issue to our support team...

    PROGRAM_ERROR_UPDATING (0, 0, Corrupt transfer)

    I have Windows' standard firewall running. I do not have background anti-virus software.

    My concern is, something in the background may be interfering with .EXE downloads or executions.

    I have attached copies of DDS.TXT and ATTACH.TXT.

    Thank you for any assistance you may offer

    dds.txt

    attach.txt

  8. I am convinced my computer is infected with 'something'.

    When I download '.EXE' files and attempt to install them I receive a messege titled: 'Error' stating: 'The source file is corrupted'.

    I did a scan of my system using Malwarebytes Anti-Malware 1.62.0.1300. My current database version is: v2012.08.21.04 so I attempted to update it.

    A messege titled: 'Updating Malwarebutes Anti-Malware' states: 'Downloading v2012.08.21.08' '6,718.50 KB [100%]' but then I receive another messege stating the following:

    An error has occured. Please report this issue to our support team...

    PROGRAM_ERROR_UPDATING (0, 0, Corrupt transfer)

    I have Windows' standard firewall running. I do not have background anti-virus software.

    My concern is, something in the background may be interfering with .EXE downloads or executions.

    I have attached copies of DDS.TXT and ATTACH.TXT.

    Thank you for any assistance you may offer.

    dds.txt

    attach.txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.