Jump to content

Infected with Live Security Platinum


Recommended Posts

thanks in advance for the help

.

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33

Run by temp at 4:54:42 on 2012-08-03

Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2039.1709 [GMT -4:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\Explorer.EXE

C:\Windows\helppane.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: YTD Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\ytd toolbar\ie\6.2\ytdToolbarIE.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: YTD Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\ytd toolbar\ie\6.2\ytdToolbarIE.dll

BHO: PricePeep: {fd6d90c0-e6ee-4bc6-b9f7-9ed319698007} - c:\program files\pricepeep\pricepeep.dll

TB: YTD Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\ytd toolbar\ie\6.2\ytdToolbarIE.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [Google Update] "c:\users\temp\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [KanevaTray] "c:\program files\kaneva\star\3296\KanevaTray.exe" --autostart

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun

mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi surround 5.1\volume panel\VolPanlu.exe" /r

mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [<NO NAME>]

mRun: [searchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"

StartupFolder: c:\users\temp\appdata\roaming\micros~1\windows\startm~1\programs\startup\imvu.lnk - c:\users\temp\appdata\roaming\imvuclient\IMVUQualityAgent.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{B1CAFC66-03AB-42A3-BBF0-EE5479F742AC} : DhcpNameServer = 192.168.2.1

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\temp\appdata\roaming\mozilla\firefox\profiles\iep06hw9.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll

FF - plugin: c:\users\temp\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

FF - plugin: c:\windows\system32\npOGPPlugin.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.autoDisableScopes - 14

.

============= SERVICES / DRIVERS ===============

.

S2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2012-7-26 794560]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-14 88192]

S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-8-25 450944]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-2 40776]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-8 113120]

S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-11-2 30720]

.

=============== Created Last 30 ================

.

2012-08-02 23:09:50 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-08-02 05:06:09 -------- d-----w- c:\programdata\036DFF6A000CE2FE004DA8BB2F3B6FDA

2012-07-31 16:51:29 -------- d-----w- c:\program files\YTD Toolbar

2012-07-31 16:51:29 -------- d-----w- c:\program files\common files\Spigot

2012-07-31 16:51:29 -------- d-----w- c:\program files\Application Updater

2012-07-27 02:27:39 650752 ----a-w- c:\windows\system32\xvidcore.dll

2012-07-27 02:27:39 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2012-07-27 02:27:39 152064 ----a-w- c:\windows\system32\xvid.ax

2012-07-27 02:26:02 -------- d-----w- c:\programdata\BasicScan

2012-07-27 02:26:02 -------- d-----w- c:\program files\BasicScan

2012-07-27 02:26:00 -------- d-----w- c:\program files\PricePeep

2012-07-27 02:25:33 -------- d-----w- c:\users\temp\appdata\local\GigglingGamesSA

2012-07-27 01:10:46 -------- d-----w- c:\program files\1ClickDownload

2012-07-09 23:40:34 -------- d-sh--w- c:\windows\system32\%APPDATA%

.

==================== Find3M ====================

.

2012-07-09 23:28:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-09 23:28:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-28 14:36:19 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2012-06-28 14:36:19 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2012-06-13 06:00:08 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-13 06:00:08 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-15 19:51:08 2045440 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 4:56:21.73 ===============

attach.txt

dds.txt

Link to post
Share on other sites

Hello hausarian! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please uninstall the following applications:

µTorrent

BitComet 1.13

YTD Toolbar v6.2

Step 2

Please follow the instructions here:

http://forums.malwarebytes.org/index.php?showtopic=110630

Post the log file in your next reply.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log

Link to post
Share on other sites

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33

Run by temp at 8:38:41 on 2012-08-03

Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2039.1327 [GMT -4:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Hpservice.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Creative\Sound Blaster X-Fi Surround 5.1\Volume Panel\VolPanlu.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Kaneva\Star\3296\kanevatray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: PricePeep: {fd6d90c0-e6ee-4bc6-b9f7-9ed319698007} - c:\program files\pricepeep\pricepeep.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [Google Update] "c:\users\temp\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [KanevaTray] "c:\program files\kaneva\star\3296\KanevaTray.exe" --autostart

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun

mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi surround 5.1\volume panel\VolPanlu.exe" /r

mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\users\temp\appdata\roaming\micros~1\windows\startm~1\programs\startup\imvu.lnk - c:\users\temp\appdata\roaming\imvuclient\IMVUQualityAgent.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{B1CAFC66-03AB-42A3-BBF0-EE5479F742AC} : DhcpNameServer = 192.168.2.1

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\temp\appdata\roaming\mozilla\firefox\profiles\iep06hw9.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll

FF - plugin: c:\users\temp\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

FF - plugin: c:\windows\system32\npOGPPlugin.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.autoDisableScopes - 14

.

============= SERVICES / DRIVERS ===============

.

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-14 88192]

R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-11-2 30720]

S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-8-25 450944]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-8 113120]

.

=============== Created Last 30 ================

.

2012-08-02 05:06:09 -------- d-----w- c:\programdata\036DFF6A000CE2FE004DA8BB2F3B6FDA

2012-07-27 02:27:39 650752 ----a-w- c:\windows\system32\xvidcore.dll

2012-07-27 02:27:39 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2012-07-27 02:27:39 152064 ----a-w- c:\windows\system32\xvid.ax

2012-07-27 02:26:02 -------- d-----w- c:\programdata\BasicScan

2012-07-27 02:26:02 -------- d-----w- c:\program files\BasicScan

2012-07-27 02:26:00 -------- d-----w- c:\program files\PricePeep

2012-07-27 02:25:33 -------- d-----w- c:\users\temp\appdata\local\GigglingGamesSA

2012-07-27 01:10:46 -------- d-----w- c:\program files\1ClickDownload

2012-07-09 23:40:34 -------- d-sh--w- c:\windows\system32\%APPDATA%

.

==================== Find3M ====================

.

2012-07-09 23:28:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-09 23:28:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-28 14:36:19 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2012-06-28 14:36:19 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2012-06-13 06:00:08 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-13 06:00:08 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-15 19:51:08 2045440 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 8:39:25.57 ===============

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.03.04

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

temp :: NC6400 [administrator]

8/3/2012 7:57:14 AM

mbam-log-2012-08-03 (07-57-14).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 180569

Time elapsed: 11 minute(s), 51 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 6

C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.

C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\00000004.@ (Rootkit.Zaccess) -> Quarantined and deleted successfully.

C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\80000000.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

thanks maniac....followed directions as instructed...here's the new logs

Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

ComboFix 12-08-05.02 - temp 08/05/2012 22:17:39.2.2 - x86

Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2039.1263 [GMT -4:00]

Running from: c:\users\temp\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\BasicScan

c:\program files\BasicScan\uninstall.exe

c:\programdata\BasicScan

c:\programdata\da6d155bca25c109f0ff158361c0a68e_c

c:\windows\$NtUninstallKB38198$

c:\windows\$NtUninstallKB38198$\4185158341

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\@

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\L\00000004.@

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\L\1afb2d56

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\L\201d3dde

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\00000004.@

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\00000008.@

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\000000cb.@

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\80000000.@

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\80000032.@

c:\windows\system32\tmp3084.tmp

c:\windows\system32\tmp31BD.tmp

c:\windows\system32\tmpC284.tmp

c:\windows\system32\tmpC3BD.tmp

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\regtlib.exe

.

c:\windows\system32\services.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-07-06 to 2012-08-06 )))))))))))))))))))))))))))))))

.

.

2012-08-06 02:28 . 2012-08-06 02:32 -------- d-----w- c:\users\temp\AppData\Local\temp

2012-08-06 02:28 . 2012-08-06 02:28 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-08-06 02:28 . 2012-08-06 02:28 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-02 05:06 . 2012-08-03 11:51 -------- d-----w- c:\programdata\036DFF6A000CE2FE004DA8BB2F3B6FDA

2012-07-27 02:27 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax

2012-07-27 02:27 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2012-07-27 02:27 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll

2012-07-27 02:26 . 2012-07-27 02:26 -------- d-----w- c:\program files\PricePeep

2012-07-27 02:25 . 2012-07-29 22:58 -------- d-----w- c:\users\temp\AppData\Local\GigglingGamesSA

2012-07-27 01:10 . 2012-07-27 01:10 -------- d-----w- c:\program files\1ClickDownload

2012-07-09 23:40 . 2012-07-09 23:40 -------- d-sh--w- c:\windows\system32\%APPDATA%

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-09 23:28 . 2012-05-04 16:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-09 23:28 . 2011-05-29 15:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 17:46 . 2009-08-03 12:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-28 14:36 . 2009-08-25 18:03 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2012-06-28 14:36 . 2009-08-25 18:03 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2012-06-13 06:00 . 2012-06-13 06:00 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-13 06:00 . 2010-05-20 15:35 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-02 22:19 . 2012-06-27 15:21 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-27 15:21 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-27 15:20 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-27 15:20 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-27 15:21 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-27 15:21 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-27 15:20 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-27 15:20 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:12 . 2012-06-27 15:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-17 22:45 . 2012-06-15 07:02 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35 . 2012-06-15 07:02 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35 . 2012-06-15 07:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29 . 2012-06-15 07:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24 . 2012-06-15 07:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-15 19:51 . 2012-06-14 19:58 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-19 15:03 . 2011-06-29 06:32 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2009-04-11 . D4E6D91C1349B7BFB3599A6ADA56851B . 279552 . . [6.0.6000.16386] . . c:\windows\ERDNT\cache\services.exe

[-] 2009-04-11 . 8737764F4FD36D6808EE80578409C843 . 279552 . . [6.0.6000.16386] . . c:\windows\System32\services.exe

[7] 2009-04-11 . D4E6D91C1349B7BFB3599A6ADA56851B . 279552 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

[7] 2008-01-21 . 2B336AB6286D6C81FA02CBAB914E3C6C . 279040 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}]

2012-07-10 00:10 483696 ----a-w- c:\program files\PricePeep\pricepeep.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

"KanevaTray"="c:\program files\Kaneva\Star\3296\KanevaTray.exe" [2012-07-05 378600]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Module Loader"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2007-07-18 57344]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi Surround 5.1\Volume Panel\VolPanlu.exe" [2007-12-19 217192]

"Creative SB Monitoring Utility"="sbavmon.dll" [2007-06-28 93696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-08 198160]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

c:\users\temp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

IMVU.lnk - c:\users\temp\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux6"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114659253-1989471645-1613028585-1000Core.job

- c:\users\temp\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-09 00:54]

.

2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114659253-1989471645-1613028585-1000UA.job

- c:\users\temp\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-09 00:54]

.

2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{14C62BA9-EC35-4695-9990-F41EFCBFD02A}.job

- c:\windows\system32\msfeedssync.exe [2012-04-08 07:10]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

LSP: mswsock.dll

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\temp\AppData\Roaming\Mozilla\Firefox\Profiles\iep06hw9.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=

FF - user.js: extensions.autoDisableScopes - 14

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Xvid Video Codec 1.3.1 - c:\program files\Xvid\uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-05 22:33

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Creative\Shared Files\CTAudSvc.exe

c:\windows\system32\Hpservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\TomTom HOME 2\TomTomHOMEService.exe

c:\windows\System32\rundll32.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\windows\system32\SLUI.exe

.

**************************************************************************

.

Completion time: 2012-08-05 22:39:37 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-06 02:39

ComboFix2.txt 2011-12-14 01:06

ComboFix3.txt 2011-08-06 03:24

.

Pre-Run: 8,987,484,160 bytes free

Post-Run: 8,972,955,648 bytes free

.

- - End Of File - - C94AA7A2588CB6B1FF62A9E2BF836071

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCopy::
c:\windows\ERDNT\cache\services.exe | c:\windows\System32\services.exe

Folder::
c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Here is the new combofix log

ComboFix 12-08-05.02 - temp 08/06/2012 11:30:30.4.2 - x86 MINIMAL

Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2039.1698 [GMT -4:00]

Running from: c:\users\temp\Desktop\hide.exe

Command switches used :: c:\users\temp\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\assembly\GAC\Desktop.ini

c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}

.

.

--------------- FCopy ---------------

.

c:\windows\ERDNT\cache\services.exe --> c:\windows\System32\services.exe

.

((((((((((((((((((((((((( Files Created from 2012-07-06 to 2012-08-06 )))))))))))))))))))))))))))))))

.

.

2012-08-06 15:37 . 2012-08-06 15:42 -------- d-----w- c:\users\temp\AppData\Local\temp

2012-08-06 15:37 . 2012-08-06 15:37 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-08-06 15:37 . 2012-08-06 15:37 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-06 03:06 . 2012-08-06 15:29 -------- d-----w- C:\ComboFix

2012-08-02 05:06 . 2012-08-03 11:51 -------- d-----w- c:\programdata\036DFF6A000CE2FE004DA8BB2F3B6FDA

2012-07-27 02:27 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax

2012-07-27 02:27 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2012-07-27 02:27 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll

2012-07-27 02:26 . 2012-07-27 02:26 -------- d-----w- c:\program files\PricePeep

2012-07-27 02:25 . 2012-07-29 22:58 -------- d-----w- c:\users\temp\AppData\Local\GigglingGamesSA

2012-07-27 01:10 . 2012-07-27 01:10 -------- d-----w- c:\program files\1ClickDownload

2012-07-09 23:40 . 2012-07-09 23:40 -------- d-sh--w- c:\windows\system32\%APPDATA%

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-09 23:28 . 2012-05-04 16:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-09 23:28 . 2011-05-29 15:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 17:46 . 2009-08-03 12:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-28 14:36 . 2009-08-25 18:03 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2012-06-28 14:36 . 2009-08-25 18:03 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2012-06-13 06:00 . 2012-06-13 06:00 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-13 06:00 . 2010-05-20 15:35 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-02 22:19 . 2012-06-27 15:21 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-27 15:21 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-27 15:20 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-27 15:20 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-27 15:21 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-27 15:21 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-27 15:20 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-27 15:20 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:12 . 2012-06-27 15:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-17 22:45 . 2012-06-15 07:02 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35 . 2012-06-15 07:02 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35 . 2012-06-15 07:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29 . 2012-06-15 07:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24 . 2012-06-15 07:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-15 19:51 . 2012-06-14 19:58 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-19 15:03 . 2011-06-29 06:32 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}]

2012-07-10 00:10 483696 ----a-w- c:\program files\PricePeep\pricepeep.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

"KanevaTray"="c:\program files\Kaneva\Star\3296\KanevaTray.exe" [2012-07-05 378600]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Module Loader"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2007-07-18 57344]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi Surround 5.1\Volume Panel\VolPanlu.exe" [2007-12-19 217192]

"Creative SB Monitoring Utility"="sbavmon.dll" [2007-06-28 93696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-08 198160]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

c:\users\temp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

IMVU.lnk - c:\users\temp\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux6"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114659253-1989471645-1613028585-1000Core.job

- c:\users\temp\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-09 00:54]

.

2012-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114659253-1989471645-1613028585-1000UA.job

- c:\users\temp\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-09 00:54]

.

2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{14C62BA9-EC35-4695-9990-F41EFCBFD02A}.job

- c:\windows\system32\msfeedssync.exe [2012-04-08 07:10]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\temp\AppData\Roaming\Mozilla\Firefox\Profiles\iep06hw9.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=

FF - user.js: extensions.autoDisableScopes - 14

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-06 11:41

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Creative\Shared Files\CTAudSvc.exe

c:\windows\system32\Hpservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\TomTom HOME 2\TomTomHOMEService.exe

c:\windows\System32\rundll32.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2012-08-06 11:46:48 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-06 15:46

ComboFix2.txt 2012-08-06 03:28

ComboFix3.txt 2012-08-06 02:39

ComboFix4.txt 2011-12-14 01:06

ComboFix5.txt 2012-08-06 15:29

.

Pre-Run: 10,868,568,064 bytes free

Post-Run: 8,698,904,576 bytes free

.

- - End Of File - - 6AA42AB3B76CC3E8D4D27703EF162506

Link to post
Share on other sites

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

Here is the log file. I ran an initial scan that produced 5 objects that eset said were cleaned. I closed the window as instructed but the log doesn't appear to have kept the information. I ran another scan and found 0 objects.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.