Jump to content

Unknown malware/trojan?


fay-

Recommended Posts

Malwarebytes crashes when I run a scan (either quick or full) after around 50 min or so (time varies...). The file that it is scanning when it crashes also varies, so I'm not sure what is causing the problem. I tried running the program in safe mode, but that didn't work (still crash).

I have ran checks with avast, spybot and microsoft security essential. All scans came out clean. Malwarebytes should be updated to the latest version already.

Any assistance in this matter will be much appreciated.

Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:39:52 PM, on 04/09/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\GridService\peer.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\KP\Desktop\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: (no name) - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - (no file)

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] :"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe ARM] :"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid

O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DUTools] C:\Program Files\NamiRobot\DUTool.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V11\Atlscript.html (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 9627 bytes

Link to post
Share on other sites

Error Signature:

AppName: mbam.exe

AppVer: 1.46.0.1

ModeName: mbam.dll

ModVer: 1.46.0.0

Osset: 0001fffe

Here is the technical information from the rror

<?xml version="1.0" encoding="UTF-16"?>

<DATABASE>

<EXE NAME="mbam.exe" FILTER="GRABMI_FILTER_PRIVACY">

<MATCHING_FILE NAME="mbam.dll" SIZE="350544" CHECKSUM="0xCBD2378B" BIN_FILE_VERSION="1.46.0.0" BIN_PRODUCT_VERSION="1.46.0.0" PRODUCT_VERSION="1.46.0.0000" FILE_DESCRIPTION="Malwarebytes' Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes' Anti-Malware" FILE_VERSION="1.46.0.0000" ORIGINAL_FILENAME="mbam.dll" INTERNAL_NAME="mbam.dll" LEGAL_COPYRIGHT="

Link to post
Share on other sites

DrWatson Postmortem Debugger also crashes...

Error Signature

EventType: BEX

P1: dwtsn32.exte

P2: 5.1.2600.0

P3: 3b7d84a2

P4: dbghelp.dll

P5: 5.1.2600.5512

P6: 4802a0b2

P7: 0001295d

P8: c0000409

P9: 00000000

Technical information about error report

<?xml version="1.0" encoding="UTF-16"?>

<DATABASE>

<EXE NAME="SYSTEM INFO" FILTER="GRABMI_FILTER_SYSTEM">

<MATCHING_FILE NAME="advapi32.dll" SIZE="617472" CHECKSUM="0xA0887D0D" BIN_FILE_VERSION="5.1.2600.5755" BIN_PRODUCT_VERSION="5.1.2600.5755" PRODUCT_VERSION="5.1.2600.5755" FILE_DESCRIPTION="Advanced Windows 32 Base API" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

ComboFix log. Thank you in advance for your assistance.

ComboFix 10-09-07.01 - KP 07/09/2010 21:11:16.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1033.18.2038.1477 [GMT -4:00]

Running from: c:\documents and settings\KP\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\k-1-3542-4232123213-7676767-8888886

c:\windows\system32\player.dll

.

((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))

.

2010-09-04 23:23 . 2010-09-04 23:23 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-09-04 14:24 . 2010-09-04 14:24 -------- d-----w- c:\program files\Trend Micro

2010-09-04 13:18 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-04 13:18 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-04 13:18 . 2010-09-04 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-28 12:38 . 2010-09-05 01:38 -------- d-----w- c:\documents and settings\KP\Application Data\QuickScan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-08 01:25 . 2010-09-08 01:25 117660 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_09_07_21_17_19_small.dmp.zip

2010-09-08 01:17 . 2010-09-08 01:20 5046272 ----a-w- c:\windows\Internet Logs\xDB12.tmp

2010-09-07 15:12 . 2010-06-29 22:37 38848 ----a-w- c:\windows\avastSS.scr

2010-09-07 15:11 . 2010-06-26 23:37 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2010-06-26 23:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2010-06-26 23:37 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2010-06-26 23:37 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2010-06-26 23:37 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2010-06-26 23:37 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2010-06-26 23:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2010-06-26 23:37 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-05 17:11 . 2008-08-19 23:31 -------- d-----w- c:\documents and settings\KP\Application Data\uTorrent

2010-09-04 14:31 . 2008-01-28 01:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-04 03:10 . 2010-03-21 01:37 188152 ----a-w- c:\documents and settings\KP\Application Data\Mozilla\Firefox\Profiles\k4ieavln.default\FlashGot.exe

2010-08-30 23:44 . 2007-11-06 22:42 31224261 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-08-28 12:09 . 2010-06-16 00:43 -------- d-----w- c:\documents and settings\KP\Application Data\Abine

2010-08-25 20:25 . 2010-08-31 12:52 614544 ----a-w- c:\documents and settings\KP\Application Data\Mozilla\Firefox\Profiles\k4ieavln.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-08-25 20:25 . 2010-08-31 12:52 314816 ----a-w- c:\documents and settings\KP\Application Data\Mozilla\Firefox\Profiles\k4ieavln.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-08-14 02:32 . 2007-07-10 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-19 02:41 . 2007-07-10 21:24 900 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-06-30 12:31 . 2008-09-17 03:20 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-29 03:04 . 2007-07-10 17:10 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-06-26 02:39 . 2007-07-07 05:24 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-06-24 12:10 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:10 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-06-23 17:51 . 2008-12-05 15:54 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-06-23 17:51 . 2007-07-07 05:22 103936 ----a-w- c:\windows\system32\zlcommdb.dll

2010-06-23 17:51 . 2007-07-07 05:22 69120 ----a-w- c:\windows\system32\zlcomm.dll

2010-06-23 13:44 . 2008-09-17 03:19 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2008-09-17 03:19 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-10 17:51 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-10 17:51 1172480 ----a-w- c:\windows\system32\msxml3.dll

2006-05-03 09:06 . 2009-11-01 01:50 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2009-11-01 01:50 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2009-11-01 01:50 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\GridService\\peer.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [26/06/2010 7:37 PM 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/06/2010 7:37 PM 17744]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [31/01/2010 10:11 PM 27632]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [04/09/2010 9:18 AM 38224]

S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [25/04/2009 3:18 PM 86824]

S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [25/04/2009 3:18 PM 15016]

S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [25/04/2009 3:18 PM 114728]

S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [25/04/2009 3:18 PM 106208]

S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [25/04/2009 3:18 PM 26024]

S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [25/04/2009 3:18 PM 104744]

S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [25/04/2009 3:18 PM 109864]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/07/2007 1:10 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]

2008-06-18 20:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = hxxp://www.dell.com

uInternet Settings,ProxyServer = 221.249.144.93:8080

uInternet Settings,ProxyOverride = <local>

IE: &U????????? - c:\program files\NamiRobot\Data\du.html

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab

FF - ProfilePath - c:\documents and settings\KP\Application Data\Mozilla\Firefox\Profiles\k4ieavln.default\

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\KP\Application Data\Mozilla\Firefox\Profiles\k4ieavln.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\KP\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\KP\Application Data\Mozilla\Firefox\Profiles\k4ieavln.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-DUTools - c:\program files\NamiRobot\DUTool.exe

HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe

HKLM-Run-Acrobat Assistant 8.0 - :c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

HKLM-Run-Adobe ARM - :c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-07 21:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*D*I*A*fg?\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*r*a*r**0*0*0\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*b!]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*b!\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*^?]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*^?\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*?EN?Oey*Y]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*?EN?Oey*Y\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~??g~6T?*"?N???0?|??m*p*3*\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~4fL?g~????T?g~??*?aSk]~{?v?a????o?a?]~

^?g~d?]~;S?g~6T????2~?m*p*3*\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~4fL?g~????T?g~??*?a?]~{???T?????N

Link to post
Share on other sites

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*D*I*A*fg?\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*r*a*r**0*0*0\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*b!]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*b!\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*^?]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*^?\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*?EN?Oey*Y]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*?EN?Oey*Y\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~??g~6T?*"?N???0?|??m*p*3*\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~4fL?g~????T?g~??*?aSk]~{?v?a????o?a?]~

^?g~d?]~;S?g~6T????2~?m*p*3*\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~4fL?g~????T?g~??*?a?]~{???T?????N

Link to post
Share on other sites

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*D*I*A*fg?\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*r*a*r**0*0*0\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*b!]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*b!\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*^?]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*^?\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*?EN?Oey*Y]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*?EN?Oey*Y\OpenWithList]

@Class="Shell"

"a"="firefox.exe"

"MRUList"="a"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~??g~6T?*"?N???0?|??m*p*3*\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~4fL?g~????T?g~??*?aSk]~{?v?a????o?a?]~

^?g~d?]~;S?g~6T????2~?m*p*3*\OpenWithList]

@Class="Shell"

[HKEY_USERS\S-1-5-21-3167156323-3181252117-403219770-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*:~4fL?g~????T?g~??*?a?]~{???T?????N

Link to post
Share on other sites

Hi,

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyServer = 221.249.144.93:8080

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi,

Please do not attach your logs as it is harder for me to read them that way. Post them instead:

ComboFix 10-09-08.01 - KP 08/09/2010 23:24:13.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1033.18.2038.1216 [GMT -4:00]

Running from: c:\documents and settings\KP\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\KP\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))

.

2010-09-08 02:14 . 2010-09-08 02:14 -------- d-----w- C:\ubuntu

2010-09-04 23:23 . 2010-09-04 23:23 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-09-04 13:18 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-04 13:18 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-04 13:18 . 2010-09-04 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-28 12:38 . 2010-09-05 01:38 -------- d-----w- c:\documents and settings\KP\Application Data\QuickScan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-08 12:34 . 2010-03-21 01:37 188152 ----a-w- c:\documents and settings\KP\Application Data\Mozilla\Firefox\Profiles\k4ieavln.default\FlashGot.exe

2010-09-08 01:25 . 2010-09-08 01:25 117660 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_09_07_21_17_19_small.dmp.zip

2010-09-08 01:17 . 2010-09-08 01:20 5046272 ----a-w- c:\windows\Internet Logs\xDB12.tmp

2010-09-07 15:12 . 2010-06-29 22:37 38848 ----a-w- c:\windows\avastSS.scr

2010-09-07 15:11 . 2010-06-26 23:37 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2010-06-26 23:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2010-06-26 23:37 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2010-06-26 23:37 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2010-06-26 23:37 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2010-06-26 23:37 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2010-06-26 23:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2010-06-26 23:37 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-05 17:11 . 2008-08-19 23:31 -------- d-----w- c:\documents and settings\KP\Application Data\uTorrent

2010-09-04 14:31 . 2008-01-28 01:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-30 23:44 . 2007-11-06 22:42 31224261 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-08-28 12:09 . 2010-06-16 00:43 -------- d-----w- c:\documents and settings\KP\Application Data\Abine

2010-08-14 02:32 . 2007-07-10 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-19 02:41 . 2007-07-10 21:24 900 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-06-30 12:31 . 2008-09-17 03:20 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-29 03:04 . 2007-07-10 17:10 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-06-26 02:39 . 2007-07-07 05:24 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-06-24 12:10 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:10 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-06-23 17:51 . 2008-12-05 15:54 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-06-23 17:51 . 2007-07-07 05:22 103936 ----a-w- c:\windows\system32\zlcommdb.dll

2010-06-23 17:51 . 2007-07-07 05:22 69120 ----a-w- c:\windows\system32\zlcomm.dll

2010-06-23 13:44 . 2008-09-17 03:19 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2008-09-17 03:19 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-10 17:51 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-10 17:51 1172480 ----a-w- c:\windows\system32\msxml3.dll

2006-05-03 09:06 . 2009-11-01 01:50 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2009-11-01 01:50 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2009-11-01 01:50 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-09-09_02.51.38 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\GridService\\peer.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [26/06/2010 7:37 PM 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/06/2010 7:37 PM 17744]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [31/01/2010 10:11 PM 27632]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [04/09/2010 9:18 AM 38224]

S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [25/04/2009 3:18 PM 86824]

S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [25/04/2009 3:18 PM 15016]

S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [25/04/2009 3:18 PM 114728]

S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [25/04/2009 3:18 PM 106208]

S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [25/04/2009 3:18 PM 26024]

S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [25/04/2009 3:18 PM 104744]

S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [25/04/2009 3:18 PM 109864]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/07/2007 1:10 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]

2008-06-18 20:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = hxxp://www.dell.com

uInternet Settings,ProxyOverride = <local>

IE: &U

Link to post
Share on other sites

Hi,

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.