Jump to content

Right click by mistake .. Rogue ...


Guest name cool

Recommended Posts

Guest name cool

This problem still exists. I doubt that this Trojan is dangerous. as all protection programs. spyware. Anti virus. and so on .. They can not to detect this threat!

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5358

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/20/2010 12:04:46 AM

mbam-log-2010-12-20 (00-04-46).txt

Scan type: Full scan (C:\|)

Objects scanned: 181498

Time elapsed: 37 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\program files\AV8 (Rogue.Antivirus8) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\BTC User\Desktop\FLVPro.exe (Adware.FLVPlayer) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\FLVTube.exe (Adware.FlvTube) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\inst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\seq_2013_mrt8.exe (Rogue.Installer) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\whitesmokewritergeo5002_en.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\cursormania.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.

c:\system volume information\_restore{e51f7c19-f95a-4352-9ed8-115939114f3c}\RP2\A0001136.exe (Trojan.GBFE) -> Quarantined and deleted successfully.

c:\program files\AV8\av8.exe.tmp1 (Rogue.Antivirus8) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Guest name cool

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/20/2010 7:35:23 PM

System Uptime: 12/20/2010 1:42:26 AM (5 hours ago)

Motherboard: Hewlett-Packard | | 30D5

Processor: Intel® Celeron® M CPU 440 @ 1.86GHz | U10 | 1862/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 33 GiB total, 25.654 GiB free.

D: is FIXED (NTFS) - 41 GiB total, 38.222 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 12/17/2010 9:16:33 PM - System Checkpoint

RP2: 12/18/2010 9:23:57 PM - System Checkpoint

RP3: 12/20/2010 2:31:37 AM - System Checkpoint

==== Installed Programs ======================

???? ??? Windows Live

???? ??????? ?? Windows Live

???? ??????? Windows Live Upload Tool

???? Windows Live

????? ????? ?????? ??? Windows Live

Adobe Flash Player 10 ActiveX

ALTools Update

ALZip

Broadcom 802.11 Wireless LAN Adapter

Capture&Send

CCleaner

Conexant HD Audio

ESET Online Scanner v3

Final Uninstaller

HDAUDIO Soft Data Fax Modem with SmartCP

HijackThis 2.0.2

HiYo

HiYo

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB954708)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB981793)

Hotspot Shield 1.56

HP Product Detection

iMesh

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

IrfanView (remove only)

Java Auto Updater

Java 6 Update 22

Junk Mail filter update

Kaspersky Internet Security 2011

Malwarebytes' Anti-Malware

Masterra PostSmile 7.0

Messenger Plus! Live

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft User-Mode Driver Framework Feature Pack 1.0

Mozilla Firefox (3.6.12)

MSVCRT

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealPlayer

RealUpgrade 1.1

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

Segoe UI

SUPERAntiSpyware

TuneUp Utilities 2011

TuneUp Utilities Language Pack (en-US)

UltraSnap PRO 3.0

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB961503)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Writer

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

12/20/2010 12:07:25 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

12/19/2010 8:29:05 PM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 001A73D3A0B4 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

12/19/2010 3:37:33 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.

12/18/2010 6:23:08 AM, error: Dhcp [1002] - The IP address lease 10.79.72.17 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.72.71.254 (The DHCP Server sent a DHCPNACK message).

12/18/2010 10:35:41 AM, error: Dhcp [1002] - The IP address lease 10.72.64.40 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.73.103.254 (The DHCP Server sent a DHCPNACK message).

12/18/2010 1:16:41 PM, error: Dhcp [1002] - The IP address lease 10.73.96.68 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.68.71.254 (The DHCP Server sent a DHCPNACK message).

12/17/2010 4:30:37 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.

12/16/2010 1:13:16 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kaspersky Anti-Virus Service service to connect.

12/16/2010 1:13:16 AM, error: Service Control Manager [7000] - The Kaspersky Anti-Virus Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/15/2010 6:11:03 AM, error: Dhcp [1002] - The IP address lease 10.79.120.6 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.79.79.254 (The DHCP Server sent a DHCPNACK message).

12/15/2010 6:09:37 AM, error: Dhcp [1002] - The IP address lease 10.76.16.35 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.79.127.254 (The DHCP Server sent a DHCPNACK message).

12/14/2010 9:33:01 AM, error: Dhcp [1002] - The IP address lease 10.41.0.72 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.76.23.254 (The DHCP Server sent a DHCPNACK message).

12/14/2010 8:24:02 AM, error: Dhcp [1002] - The IP address lease 10.41.0.64 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.41.7.254 (The DHCP Server sent a DHCPNACK message).

12/14/2010 8:05:06 AM, error: Dhcp [1002] - The IP address lease 10.74.96.7 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.41.7.254 (The DHCP Server sent a DHCPNACK message).

12/14/2010 10:30:53 PM, error: Dhcp [1002] - The IP address lease 192.168.1.65 for the Network Card with network address 001A73D3A0B4 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

12/13/2010 9:47:50 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .

12/13/2010 9:47:50 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Real\RealPlayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .

12/13/2010 9:47:50 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.

12/13/2010 6:41:24 AM, error: Dhcp [1002] - The IP address lease 10.71.16.14 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.74.119.254 (The DHCP Server sent a DHCPNACK message).

12/13/2010 10:41:43 AM, error: Dhcp [1002] - The IP address lease 10.74.112.4 for the Network Card with network address 00FF14F7D2A9 has been denied by the DHCP server 10.74.103.254 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

DDS (Ver_10-11-27.01) - NTFSx86

Run by BTC User at 6:20:35.15 on Mon 12/20/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.61 [GMT 3:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\Program Files\Hotspot Shield\bin\hsswd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe

C:\Program Files\Hotspot Shield\bin\openvpntray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Documents and Settings\BTC User\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Notify: igfxcui - igfxdev.dll

Notify: klogon - c:\windows\system32\klogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\btcuse~1\applic~1\mozilla\firefox\profiles\3tmzhj1l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search

FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h

FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

FF - component: c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll

FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\btc user\application data\mozilla\plugins\np-mswmp.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Anti-Banner: KavAntiBanner@Kaspersky.ru - c:\program files\mozilla firefox\extensions\KavAntiBanner@Kaspersky.ru

FF - Extension: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru

FF - Extension: afurladvisor: afurladvisor@anchorfree.com - c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\btcuse~1\applic~1\mozilla\firefox\profiles\3tmzhj1l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-12-7 475736]

R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-11-9 54760]

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-10-27 1483072]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]

S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]

S2 CSIScanner;CSIScanner;"c:\program files\prevx\prevx.exe" /service --> c:\program files\prevx\prevx.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-28 38224]

=============== Created Last 30 ================

2010-12-19 22:17:04 71880 ----a-w- c:\windows\system32\PxSecure.dll-216578

2010-12-19 21:15:12 -------- d-----w- C:\VundoFix Backups

2010-12-17 18:16:25 98816 ----a-w- c:\windows\sed.exe

2010-12-17 18:16:25 89088 ----a-w- c:\windows\MBR.exe

2010-12-17 18:16:25 256512 ----a-w- c:\windows\PEV.exe

2010-12-17 18:16:25 161792 ----a-w- c:\windows\SWREG.exe

2010-12-15 21:29:06 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 21:28:49 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-11 07:54:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\hssff

2010-12-10 08:55:44 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll

2010-12-10 08:55:30 -------- d-----w- c:\program files\common files\xing shared

2010-12-10 08:55:15 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll

2010-12-10 08:55:06 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll

2010-12-10 08:54:48 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-12-10 08:54:48 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-12-09 01:24:45 -------- d-----w- c:\program files\ESET

2010-12-07 05:32:59 506880 ----a-w- c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

2010-12-07 05:32:56 -------- d-----w- c:\program files\Hotspot Shield

2010-12-07 01:24:37 109240 ----a-w- c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll

2010-12-07 01:24:35 150200 ----a-w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

2010-12-07 01:24:14 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2010-12-07 01:24:14 114243 ----a-w- c:\windows\system32\drivers\klin.dat

2010-12-07 01:22:34 -------- d-----w- c:\program files\Kaspersky Lab

2010-12-07 01:22:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2010-12-07 01:20:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2010-11-30 04:58:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Arovax

2010-11-30 04:53:23 -------- d-----w- C:\Hotspot Shield

2010-11-28 23:39:47 -------- d-----w- c:\program files\UltraSnapPRO

2010-11-28 00:10:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-28 00:10:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-28 00:10:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-26 03:52:09 -------- d-----w- c:\docume~1\btcuse~1\applic~1\GPass

2010-11-25 15:08:29 -------- d-----w- C:\CCProxy

2010-11-25 14:54:11 -------- d-----w- c:\docume~1\btcuse~1\applic~1\SmartHideIP

2010-11-25 14:54:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\SmartHideIP

2010-11-24 02:22:21 809079 ----a-w- C:\FPsetup.exe

2010-11-24 00:38:36 -------- d-----w- c:\docume~1\btcuse~1\applic~1\SUPERAntiSpyware.com

2010-11-24 00:38:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-11-24 00:38:29 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-11-24 00:05:26 -------- d-sha-r- C:\cmdcons

2010-11-23 23:16:13 215920 ----a-w- c:\windows\system32\muweb.dll

2010-11-23 22:30:40 -------- d-----w- c:\program files\Trend Micro

2010-11-20 16:46:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-11-20 14:46:00 -------- d-----w- c:\program files\Absolutist_Games

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-27 15:25:18 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2010-10-27 15:21:08 29504 ----a-w- c:\windows\system32\uxtuneup.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-20 20:30:42 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-20 20:30:41 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-20 19:57:45 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll

2010-10-05 17:27:04 228024 ----a-w- c:\windows\system32\klogon.dll

============= FINISH: 6:21:52.20 ===============

Link to post
Share on other sites

Guest name cool

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:26:59 AM, on 12/20/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\Program Files\Hotspot Shield\bin\hsswd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Hotspot Shield\bin\openvpntray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

--

End of file - 2203 bytes

Link to post
Share on other sites

  • Staff

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Guest name cool

Hi.

This application "Antivirus 8" Was not detected him by Malwarebytes' Anti-Malware.. In this (setup "). and I've Worked on the full scan a few days ago and could not remove it from the desktop. I think that there are entries Registry Infected. and files are planted in the system.

And I will run the Combo Fix "again. this report a few days ago.

..

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/21/2010 4:34:23 AM

mbam-log-2010-12-21 (04-34-23).txt

Scan type: Quick scan

Objects scanned: 131053

Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\BTC User\Desktop\inst.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\local settings\temporary internet files\Content.IE5\5NR4UD3S\TFC[1].exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.

......

ComboFix 10-12-16.05 - BTC User 12/17/2010 21:25:22.11.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.230 [GMT 3:00]

Running from: c:\documents and settings\BTC User\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\BTC User\Desktop\Improve Your PC.lnk

.

((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))

.

2010-12-15 21:29 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 21:28 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-11 07:54 . 2010-12-11 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\hssff

2010-12-10 08:55 . 2010-12-10 08:55 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll

2010-12-10 08:55 . 2010-12-10 08:55 -------- d-----w- c:\program files\Common Files\xing shared

2010-12-10 08:55 . 2010-12-10 08:55 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll

2010-12-10 08:55 . 2010-12-10 08:55 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll

2010-12-10 08:54 . 2010-12-10 08:54 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-12-10 08:54 . 2010-12-10 08:54 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-12-10 08:54 . 2010-12-10 08:55 -------- d-----w- c:\program files\Real

2010-12-09 01:24 . 2010-12-09 01:24 -------- d-----w- c:\program files\ESET

2010-12-07 05:32 . 2010-11-04 18:43 506880 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

2010-12-07 05:32 . 2010-12-11 03:51 -------- d-----w- c:\program files\Hotspot Shield

2010-12-07 01:24 . 2010-10-05 17:26 109240 ----a-w- c:\program files\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru\components\abhelperxpcom.dll

2010-12-07 01:24 . 2010-10-05 17:27 150200 ----a-w- c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

2010-12-07 01:24 . 2010-12-09 12:16 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2010-12-07 01:24 . 2010-12-09 12:16 114243 ----a-w- c:\windows\system32\drivers\klin.dat

2010-12-07 01:22 . 2010-12-07 01:22 -------- d-----w- c:\program files\Kaspersky Lab

2010-12-07 01:22 . 2010-12-17 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2010-12-07 01:20 . 2010-12-07 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2010-12-03 22:53 . 2010-12-03 22:53 -------- d-----w- c:\windows\system32\Macromed

2010-11-30 04:58 . 2010-11-30 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Arovax

2010-11-30 04:53 . 2010-12-07 05:33 -------- d-----w- C:\Hotspot Shield

2010-11-28 23:39 . 2010-11-28 23:39 -------- d-----w- c:\program files\UltraSnapPRO

2010-11-28 00:10 . 2010-11-29 14:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-28 00:10 . 2010-11-30 17:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-28 00:10 . 2010-11-29 14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-26 03:52 . 2010-11-26 03:52 -------- d-----w- c:\documents and settings\BTC User\Application Data\GPass

2010-11-25 15:08 . 2010-12-03 05:26 -------- d-----w- C:\CCProxy

2010-11-25 14:54 . 2010-11-25 14:54 -------- d-----w- c:\documents and settings\BTC User\Application Data\SmartHideIP

2010-11-25 14:54 . 2010-11-25 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartHideIP

2010-11-24 02:22 . 2010-11-24 02:22 809079 ----a-w- C:\FPsetup.exe

2010-11-24 00:38 . 2010-11-24 00:38 -------- d-----w- c:\documents and settings\BTC User\Application Data\SUPERAntiSpyware.com

2010-11-24 00:38 . 2010-11-24 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-11-24 00:38 . 2010-12-17 13:30 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-11-23 23:16 . 2009-08-06 16:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-11-23 22:30 . 2010-11-23 22:30 -------- d-----w- c:\program files\Trend Micro

2010-11-20 16:46 . 2010-11-20 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-11-20 14:46 . 2010-11-20 14:46 -------- d-----w- c:\program files\Absolutist_Games

2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-18 18:12 . 2010-10-20 16:30 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-27 15:25 . 2010-10-31 20:13 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2010-10-27 15:21 . 2010-10-31 20:13 29504 ----a-w- c:\windows\system32\uxtuneup.dll

2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-20 20:30 . 2010-10-20 20:30 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-20 20:30 . 2010-10-20 20:30 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-20 19:57 . 2010-10-20 19:57 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll

2010-10-20 19:57 . 2010-10-20 19:57 1287552 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS

2010-10-05 17:27 . 2010-10-05 17:27 228024 ----a-w- c:\windows\system32\klogon.dll

2010-09-22 19:19 . 2010-09-22 19:19 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys

2010-09-22 19:19 . 2010-09-22 19:19 32768 ----a-w- c:\windows\system32\drivers\taphss.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-11-02 365336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 9:41 PM 67656]

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [10/27/2010 6:23 PM 1483072]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1645522239-789336058-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 08:33]

2010-12-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1645522239-789336058-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 08:33]

2010-12-17 c:\windows\Tasks\User_Feed_Synchronization-{2A1730A9-1199-48E0-8274-67C170504ADD}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

FF - ProfilePath - c:\documents and settings\BTC User\Application Data\Mozilla\Firefox\Profiles\3tmzhj1l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search

FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h

FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Anti-Banner: KavAntiBanner@Kaspersky.ru - c:\program files\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-17 21:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-12-17 21:37:24

ComboFix-quarantined-files.txt 2010-12-17 18:37

ComboFix2.txt 2010-12-09 01:04

Pre-Run: 27,062,267,904 bytes free

Post-Run: 27,692,736,512 bytes free

- - End Of File - - 7B7CA4F25DCF76A40F1B0548A39D7DAB

.......................................

M' Anti-M Free use. XP SP 3

:::::::::::::::::::::::::::::::

Link to post
Share on other sites

Guest name cool

DDS (Ver_10-11-27.01) - NTFSx86

Run by BTC User at 5:44:49.54 on Tue 12/21/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.122 [GMT 3:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\Program Files\Hotspot Shield\bin\hsswd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Hotspot Shield\bin\openvpntray.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\BTC User\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Notify: igfxcui - igfxdev.dll

Notify: klogon - c:\windows\system32\klogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\btcuse~1\applic~1\mozilla\firefox\profiles\3tmzhj1l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search

FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h

FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

FF - component: c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll

FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\btc user\application data\mozilla\plugins\np-mswmp.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Anti-Banner: KavAntiBanner@Kaspersky.ru - c:\program files\mozilla firefox\extensions\KavAntiBanner@Kaspersky.ru

FF - Extension: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru

FF - Extension: afurladvisor: afurladvisor@anchorfree.com - c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\btcuse~1\applic~1\mozilla\firefox\profiles\3tmzhj1l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-12-7 475736]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-11-9 54760]

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-10-27 1483072]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]

S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]

=============== Created Last 30 ================

2010-12-21 02:01:24 -------- d-----w- C:\ComboFix

2010-12-19 21:15:12 -------- d-----w- C:\VundoFix Backups

2010-12-17 18:16:25 98816 ----a-w- c:\windows\sed.exe

2010-12-17 18:16:25 89088 ----a-w- c:\windows\MBR.exe

2010-12-17 18:16:25 256512 ----a-w- c:\windows\PEV.exe

2010-12-17 18:16:25 161792 ----a-w- c:\windows\SWREG.exe

2010-12-15 21:29:06 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 21:28:49 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-11 07:54:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\hssff

2010-12-10 08:55:44 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll

2010-12-10 08:55:30 -------- d-----w- c:\program files\common files\xing shared

2010-12-10 08:55:15 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll

2010-12-10 08:55:06 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll

2010-12-10 08:54:48 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-12-10 08:54:48 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-12-09 01:24:45 -------- d-----w- c:\program files\ESET

2010-12-07 05:32:59 506880 ----a-w- c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

2010-12-07 05:32:56 -------- d-----w- c:\program files\Hotspot Shield

2010-12-07 01:24:37 109240 ----a-w- c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll

2010-12-07 01:24:35 150200 ----a-w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

2010-12-07 01:24:14 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2010-12-07 01:24:14 114243 ----a-w- c:\windows\system32\drivers\klin.dat

2010-12-07 01:22:34 -------- d-----w- c:\program files\Kaspersky Lab

2010-12-07 01:22:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2010-12-07 01:20:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2010-11-30 04:58:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Arovax

2010-11-30 04:53:23 -------- d-----w- C:\Hotspot Shield

2010-11-28 23:39:47 -------- d-----w- c:\program files\UltraSnapPRO

2010-11-28 00:10:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-28 00:10:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-28 00:10:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-26 03:52:09 -------- d-----w- c:\docume~1\btcuse~1\applic~1\GPass

2010-11-25 15:08:29 -------- d-----w- C:\CCProxy

2010-11-25 14:54:11 -------- d-----w- c:\docume~1\btcuse~1\applic~1\SmartHideIP

2010-11-25 14:54:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\SmartHideIP

2010-11-24 02:22:21 809079 ----a-w- C:\FPsetup.exe

2010-11-24 00:38:36 -------- d-----w- c:\docume~1\btcuse~1\applic~1\SUPERAntiSpyware.com

2010-11-24 00:38:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-11-24 00:38:29 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-11-24 00:05:26 -------- d-sha-r- C:\cmdcons

2010-11-23 23:16:13 215920 ----a-w- c:\windows\system32\muweb.dll

2010-11-23 22:30:40 -------- d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-27 15:25:18 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2010-10-27 15:21:08 29504 ----a-w- c:\windows\system32\uxtuneup.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-20 20:30:42 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-20 20:30:41 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-20 19:57:45 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll

2010-10-05 17:27:04 228024 ----a-w- c:\windows\system32\klogon.dll

============= FINISH: 5:45:15.31 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/20/2010 7:35:23 PM

System Uptime: 12/21/2010 4:35:50 AM (1 hours ago)

Motherboard: Hewlett-Packard | | 30D5

Processor: Intel

Link to post
Share on other sites

Guest name cool

new log>

ComboFix 10-12-20.01 - BTC User 12/21/2010 5:03.12.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.270 [GMT 3:00]

Running from: c:\documents and settings\BTC User\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))

.

2010-12-19 21:15 . 2010-12-19 21:15 -------- d-----w- C:\VundoFix Backups

2010-12-15 21:29 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 21:28 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-11 07:54 . 2010-12-11 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\hssff

2010-12-10 08:55 . 2010-12-10 08:55 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll

2010-12-10 08:55 . 2010-12-10 08:55 -------- d-----w- c:\program files\Common Files\xing shared

2010-12-10 08:55 . 2010-12-10 08:55 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll

2010-12-10 08:55 . 2010-12-10 08:55 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll

2010-12-10 08:54 . 2010-12-10 08:54 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-12-10 08:54 . 2010-12-10 08:54 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-12-10 08:54 . 2010-12-10 08:55 -------- d-----w- c:\program files\Real

2010-12-09 01:24 . 2010-12-09 01:24 -------- d-----w- c:\program files\ESET

2010-12-07 05:32 . 2010-11-04 18:43 506880 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

2010-12-07 05:32 . 2010-12-11 03:51 -------- d-----w- c:\program files\Hotspot Shield

2010-12-07 01:24 . 2010-10-05 17:26 109240 ----a-w- c:\program files\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru\components\abhelperxpcom.dll

2010-12-07 01:24 . 2010-10-05 17:27 150200 ----a-w- c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

2010-12-07 01:24 . 2010-12-09 12:16 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2010-12-07 01:24 . 2010-12-09 12:16 114243 ----a-w- c:\windows\system32\drivers\klin.dat

2010-12-07 01:22 . 2010-12-07 01:22 -------- d-----w- c:\program files\Kaspersky Lab

2010-12-07 01:22 . 2010-12-21 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2010-12-07 01:20 . 2010-12-07 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2010-12-03 22:53 . 2010-12-03 22:53 -------- d-----w- c:\windows\system32\Macromed

2010-11-30 04:58 . 2010-11-30 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Arovax

2010-11-30 04:53 . 2010-12-07 05:33 -------- d-----w- C:\Hotspot Shield

2010-11-28 23:39 . 2010-11-28 23:39 -------- d-----w- c:\program files\UltraSnapPRO

2010-11-28 00:10 . 2010-11-29 14:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-28 00:10 . 2010-11-30 17:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-28 00:10 . 2010-11-29 14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-26 03:52 . 2010-11-26 03:52 -------- d-----w- c:\documents and settings\BTC User\Application Data\GPass

2010-11-25 15:08 . 2010-12-03 05:26 -------- d-----w- C:\CCProxy

2010-11-25 14:54 . 2010-11-25 14:54 -------- d-----w- c:\documents and settings\BTC User\Application Data\SmartHideIP

2010-11-25 14:54 . 2010-11-25 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartHideIP

2010-11-24 02:22 . 2010-11-24 02:22 809079 ----a-w- C:\FPsetup.exe

2010-11-24 00:38 . 2010-11-24 00:38 -------- d-----w- c:\documents and settings\BTC User\Application Data\SUPERAntiSpyware.com

2010-11-24 00:38 . 2010-11-24 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-11-24 00:38 . 2010-12-17 13:30 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-11-23 23:16 . 2009-08-06 16:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-11-23 22:30 . 2010-11-23 22:30 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-18 18:12 . 2010-10-20 16:30 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-27 15:25 . 2010-10-31 20:13 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2010-10-27 15:21 . 2010-10-31 20:13 29504 ----a-w- c:\windows\system32\uxtuneup.dll

2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-20 20:30 . 2010-10-20 20:30 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-20 20:30 . 2010-10-20 20:30 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-20 19:57 . 2010-10-20 19:57 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll

2010-10-20 19:57 . 2010-10-20 19:57 1287552 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS

2010-10-05 17:27 . 2010-10-05 17:27 228024 ----a-w- c:\windows\system32\klogon.dll

2010-09-22 19:19 . 2010-09-22 19:19 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys

2010-09-22 19:19 . 2010-09-22 19:19 32768 ----a-w- c:\windows\system32\drivers\taphss.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-11-02 365336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 9:41 PM 67656]

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [10/27/2010 6:23 PM 1483072]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2010-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1645522239-789336058-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 08:33]

2010-12-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1645522239-789336058-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 08:33]

2010-12-21 c:\windows\Tasks\User_Feed_Synchronization-{2A1730A9-1199-48E0-8274-67C170504ADD}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

FF - ProfilePath - c:\documents and settings\BTC User\Application Data\Mozilla\Firefox\Profiles\3tmzhj1l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search

FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h

FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Anti-Banner: KavAntiBanner@Kaspersky.ru - c:\program files\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-21 05:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1384)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-12-21 05:13:08

ComboFix-quarantined-files.txt 2010-12-21 02:13

ComboFix2.txt 2010-12-17 18:37

ComboFix3.txt 2010-12-09 01:04

Pre-Run: 27,447,824,384 bytes free

Post-Run: 27,663,933,440 bytes free

- - End Of File - - 65A3FC092AFEDB94DB8656DEB09087F6

>>>>>>>

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-20 04:55:09

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST980811AS rev.3.BHE

Running: 5ns55ft8.exe; Driver: C:\DOCUME~1\BTCUSE~1\LOCALS~1\Temp\pweyaaod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xA9B165FA]

SSDT \SystemRoot\System32\drivers\pxrts.sys ZwAllocateVirtualMemory [0xA9B6AF60]

SSDT \SystemRoot\System32\drivers\pxrts.sys ZwAssignProcessToJobObject [0xA9B6AAF0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xA9B16EFE]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xA9B17D32]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xA9B1827C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xA9B171DA]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xA9B1546A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xA9B18162]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xA9B161E8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xA9B18036]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xA9B16390]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xA9B1839C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xA9B16B86]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xA9B180CC]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xA9B19A84]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xA9B15A74]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xA9B15E28]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xA9B1765C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xA9B1AC90]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xA9B15F74]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xA9B1600C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xA9B1746A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xA9B19B76]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xA9B15446]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xA9B15458]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xA9B1A2DE]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xA9B16138]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xA9B18312]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xA9B16F80]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xA9B1562A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xA9B181F2]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xA9B16836]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xA9B1A078]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xA9B18432]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xA9B16728]

SSDT \SystemRoot\System32\drivers\pxrts.sys ZwProtectVirtualMemory [0xA9B6ABE0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xA9B160A4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xA9B15CDC]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xA9B1A618]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xA9B15906]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xA9B19F0A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xA9B15B96]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xA9B14E80]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xA9B18796]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xA9B1865C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xA9B1981E]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xA9B151F8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xA9B1AB32]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xA9B14E18]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xA9B17A78]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xA9B16DA2]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xA9B190BE]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xA9B19D14]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xA9B1A768]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xA9B15780]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xA9B1A85A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xA9B1A994]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xA9B199A8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xA9B169D2]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xA9B16932]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xA9B1A4BC]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xA9B16ABC]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9FA0 5 Bytes JMP A9B08FEC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)

.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE87E 5 Bytes JMP A9B093C8 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)

.text ntkrnlpa.exe!ZwCallbackReturn + 2508 80501D40 12 Bytes [76, 9B, B1, A9, 46, 54, B1, ...] {JBE 0xffffffffffffff9d; MOV CL, 0xa9; INC ESI; PUSH ESP; MOV CL, 0xa9; POP EAX; PUSH ESP; MOV CL, 0xa9}

.text ntkrnlpa.exe!ZwCallbackReturn + 2684 80501EBC 16 Bytes [96, 5B, B1, A9, 80, 4E, B1, ...]

.text ntkrnlpa.exe!ZwCallbackReturn + 2778 80501FB0 12 Bytes [5A, A8, B1, A9, 94, A9, B1, ...] {POP EDX; TEST AL, 0xb1; TEST EAX, 0xa9b1a994; TEST AL, 0x99; MOV CL, 0xa9}

? pxscan.sys The system cannot find the file specified. !

? System32\drivers\pxkbf.sys The system cannot find the path specified. !

? System32\drivers\pxrts.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 02507B40 C:\WINDOWS\system32\PxSecure.dll

.text C:\WINDOWS\Explorer.EXE[1272] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 02507090 C:\WINDOWS\system32\PxSecure.dll

.text C:\WINDOWS\Explorer.EXE[1272] USER32.dll!SetWindowTextW 7E42960E 5 Bytes JMP 02507800 C:\WINDOWS\system32\PxSecure.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F7F6FD50] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F7F6FD50] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\PxSecure.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1272] 0x02500000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 22: copy of MBR

Disk \Device\Harddisk0\DR0 sector 23: copy of MBR

---- EOF - GMER 1.0.15 ----

.......................................

M' Anti-M Free use. XP SP 3

:::::::::::::::::::::::::::::::

Link to post
Share on other sites

  • Staff

Hi,

What symptoms do you still see of AV8?

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Guest name cool

Hi.

gone, but there is another problem! when I scan the drive / d. and I chose Select All to remove the infection .With the system reboots. Surprised in the return of the infection,same location that already.

....

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=37d762855950f4459a9cfd09b5fcb0bd

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-12-21 03:12:00

# local_time=2010-12-21 06:12:00 (+0300, Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 2349680 2349680 0 0

# compatibility_mode=1280 16777195 100 0 380966 380966 0 0

# compatibility_mode=8192 67108863 100 0 208035 208035 0 0

# scanned=106

# found=0

# cleaned=0

# scan_time=10

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=37d762855950f4459a9cfd09b5fcb0bd

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-12-21 04:24:08

# local_time=2010-12-21 07:24:08 (+0300, Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 2349850 2349850 0 0

# compatibility_mode=1280 16777195 100 0 381136 381136 0 0

# compatibility_mode=8192 67108863 100 0 208205 208205 0 0

# scanned=50578

# found=14

# cleaned=14

# scan_time=4166

C:\Documents and Settings\BTC User\Desktop\HSS-1.56-install-anchorfree-76-conduit.exe a variant of Win32/HotSpotShield application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\BTC User\Desktop\seq_2013-2_mrt8.exe a variant of Win32/Kryptik.IWM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\BTC User\Desktop\SweetImSetup.exe a variant of Win32/SweetIM.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\BTC User\My Documents\LiveDownloaderSetup.exe probably a variant of Win32/SweetIM.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\BTC User\My Documents\GPass\SweetImSetup.exe a variant of Win32/SweetIM.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\BTC User\My Documents\??? ????????\Setup.exe a variant of Win32/Adware.HotBar.H application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E51F7C19-F95A-4352-9ED8-115939114F3C}\RP4\A0001320.exe a variant of Win32/HotSpotShield application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E51F7C19-F95A-4352-9ED8-115939114F3C}\RP4\A0001321.exe a variant of Win32/Kryptik.IWM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E51F7C19-F95A-4352-9ED8-115939114F3C}\RP4\A0001322.exe a variant of Win32/SweetIM.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E51F7C19-F95A-4352-9ED8-115939114F3C}\RP4\A0001323.exe a variant of Win32/HotSpotShield application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Has been completed\3gp_converter_setup.exe a variant of Win32/SweetIM.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\uhu\SweetImSetup.exe a variant of Win32/SweetIM.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\uhu\Has been completed\3gp_converter_setup.exe a variant of Win32/SweetIM.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

.......................................

M' Anti-M Free use. XP SP 3

:::::::::::::::::::::::::::::::

Link to post
Share on other sites

Guest name cool

Hi,

These files Inside him . software applications (Setup. ") > have i collected and then I Sent to lab malicious software" Rogue ", which was examined previously .. and then dropped in inside this folder " has been completed. "

Can I do to delete them like this? right clicking then delete? Or. I check Shift + Delete? :D:D:):lol:

Wait .....

.......................................

M' Anti-M Free use. XP SP 3

:::::::::::::::::::::::::::::::

Link to post
Share on other sites

Guest name cool

I mean, I worked a scan, with Malwarebytes' Anti-Malware on the drive d. When finish him Malwarebytes' Anti-Malware. Of scan of the drive. And reboot the system. And then was removed infection. and clean up everything ..

When I checked the drive again with Malwarebytes' Anti-Malware and encountered he found the same infection that has just been removed.

This problem is somewhat strange. After remove the infection back again! :)

.......................................

M' Anti-M Free use. XP SP 3

:::::::::::::::::::::::::::::::

Link to post
Share on other sites

Guest name cool

Really weird. I can not find this path:

D: \ Has been completed \ 3gp_converter_setup.exe

D: \ uhu \ SweetImSetup.exe

D: \ uhu \ Has been completed \ 3gp_converter_setup.exe

I checked this, but I did not find these files. What is it?

.......................................

M' Anti-M Free use. XP SP 3

:::::::::::::::::::::::::::::::

Link to post
Share on other sites

  • Staff

Hi,

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.

2. Restart your computer (very important).

3. Download and run this utility.

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here.

Note: You will need to reactivate the program using the license you were sent via e-mail if you purchased it.

Link to post
Share on other sites

Guest name cool

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5414

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/29/2010 2:37:47 PM

mbam-log-2010-12-29 (14-37-47).txt

Scan type: Quick scan

Objects scanned: 145402

Time elapsed: 10 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\BTC User\Desktop\flvdirect.exe (Adware.FLVPlayer) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\FLVTube.exe (Adware.FlvTube) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\inst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\securityav_2013_br8.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\seq_2013_mrt8.exe (Rogue.Installer) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\whitesmokewritergeo5002_en.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

c:\documents and settings\BTC User\Desktop\limewiresetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

c:\retrogamer.exe (Adware.Iwon) -> Quarantined and deleted successfully.

c:\securityav_2013_br8.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\new-video-addon.48661.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

c:\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

.......................................

M' Anti-M Free use. XP SP 3

:::::::::::::::::::::::::::::::

Link to post
Share on other sites

Guest name cool

What about "Antivirus 8" .. I have this application on my desktop, but this is that infected the computer, but not detected him by Malwarebytes' Anti-Malware.

.......................................

M' Anti-M Free use. XP SP 3

:::::::::::::::::::::::::::::::

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.