Jump to content

Recommended Posts

I have this infection of Trojan.ZbotR.Gen. No matter HOW many times (at least 5 as of now) that I scan and delete the threat with Malwarebytes, it ALWAYS re-appears after I reboot. Every single time. And it's only the registry value too, which means something is regenerating it, but even with a full scan, the only thing that is ever found is the registry value. The MBAM log that is posted is from a full scan I just recently did, but it was before I used Defogger. I restarted the computer before doing the other scans though, so as to provide logs with the infected file intact. Then I have posted the DDS log.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6528

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/7/2011 4:40:05 PM

mbam-log-2011-05-07 (16-40-05).txt

Scan type: Full scan (C:\|G:\|)

Objects scanned: 296250

Time elapsed: 3 hour(s), 12 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{51CD0364-77F4-5697-AC0D-FDC3663EB728} (Trojan.ZbotR.Gen) -> Value: {51CD0364-77F4-5697-AC0D-FDC3663EB728} -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Administrator at 16:59:03.04 on Sat 05/07/2011

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1493 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\Program Files\Google\Update\1.3.21.53\GoogleCrashHandler.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\Administrator\Desktop\dds.scr

C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\CurseClientStartup.ccip

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoSMMyPictures = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

mPolicies-system: DisableCAD = 1 (0x1)

dPolicies-explorer: NoSMHelp = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoSMMyPictures = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Trusted Zone: aol.com\free

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262878713640

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxsrvc.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

.

============= SERVICES / DRIVERS ===============

.

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-3-28 1242504]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]

R3 DroidCam;DroidCam Virtual Audio;c:\windows\system32\drivers\droidcam.sys [2011-4-25 21376]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-2 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110506.021\NAVENG.SYS [2011-5-6 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110506.021\NAVEX15.SYS [2011-5-6 1393144]

R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2010-9-29 13312]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-4 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-4 135664]

S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\drivers\Maypro.sys [2010-12-29 11904]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 341504]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-05-03 02:03:38 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-03 02:03:37 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-05-01 23:25:38 -------- d-----w- c:\program files\VS Revo Group

2011-05-01 23:01:24 -------- d-----w- c:\program files\NT Registry Optimizer

2011-04-28 22:43:12 -------- d-----w- c:\program files\TeamViewer

2011-04-28 02:13:25 -------- d-----w- c:\docume~1\admini~1\applic~1\TeamViewer

2011-04-27 01:51:26 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\LogMeIn Hamachi

2011-04-27 01:50:25 -------- d-----w- c:\program files\LogMeIn Hamachi

2011-04-26 01:30:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Skype Extras

2011-04-26 01:13:27 21376 ----a-w- c:\windows\system32\drivers\droidcam.sys

2011-04-26 01:13:25 -------- d-----w- c:\program files\DroidCam

2011-04-26 00:58:10 -------- d-----r- c:\program files\Skype

2011-04-20 00:48:35 -------- d-----w- c:\program files\Android Notifier Desktop

2011-04-19 23:14:06 -------- d-----w- c:\program files\INVedit

2011-04-16 22:28:51 -------- d-----w- c:\docume~1\admini~1\applic~1\.minecraft

2011-04-13 10:52:57 512000 ------w- c:\windows\system32\dllcache\jscript.dll

2011-04-13 10:52:38 138496 ------w- c:\windows\system32\dllcache\afd.sys

2011-04-13 10:52:37 45568 ------w- c:\windows\system32\dllcache\dnsrslvr.dll

2011-04-13 10:52:37 361600 ------w- c:\windows\system32\dllcache\tcpip.sys

2011-04-13 10:52:37 245248 ------w- c:\windows\system32\dllcache\mswsock.dll

2011-04-13 10:52:37 149504 ------w- c:\windows\system32\dllcache\dnsapi.dll

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys

2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-09 00:03:56 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll

.

============= FINISH: 17:00:00.35 ===============

Link to post
Share on other sites

Hi ILikeTrains

:welcome:

Your missing one of your DDS logs. I need the Attach.txt. You can copy and paste it in your next rely

Sorry about that. Here it is:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 12/25/2009 11:47:05 PM

System Uptime: 5/7/2011 4:47:47 PM (1 hours ago)

.

Motherboard: Dell Computer Corp. | | 0G1548

Processor: Intel® Pentium® 4 CPU 2.20GHz | Microprocessor | 2193/400mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 38 GiB total, 15.94 GiB free.

D: is CDROM ()

E: is CDROM ()

G: is FIXED (NTFS) - 596 GiB total, 420.066 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}

Description: Intel® 82845G/GL/GE/PE/GV Graphics Controller

Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01601028&REV_01\3&172E68DD&0&10

Manufacturer: Intel Corporation

Name: Intel® 82845G/GL/GE/PE/GV Graphics Controller

PNP Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01601028&REV_01\3&172E68DD&0&10

Service: ialm

.

==== System Restore Points ===================

.

RP330: 4/29/2011 7:28:58 PM - System Checkpoint

RP331: 4/30/2011 8:29:27 PM - System Checkpoint

RP332: 5/1/2011 6:18:38 PM - IObit Uninstaller restore point

RP333: 5/1/2011 6:26:22 PM - Revo Uninstaller's restore point - Diablo II

RP334: 5/1/2011 6:29:05 PM - Revo Uninstaller's restore point - Advanced SystemCare 4

RP335: 5/1/2011 6:30:49 PM - Revo Uninstaller's restore point - HamsterFreeVideoConverter

RP336: 5/1/2011 6:31:48 PM - Revo Uninstaller's restore point - Hyper Shutdown 2.2

RP337: 5/4/2011 12:39:38 AM - System Checkpoint

RP338: 5/5/2011 1:05:33 AM - System Checkpoint

RP339: 5/6/2011 1:15:30 AM - System Checkpoint

RP340: 5/7/2011 1:57:42 AM - System Checkpoint

.

==== Installed Programs ======================

.

32 Bit HP CIO Components Installer

7-Zip 9.20

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.2.6

Adobe Shockwave Player 11.5

AIO_Scan

Android Notifier Desktop

AppInventor Extras

Apple Application Support

Apple Software Update

CamStudio

CCleaner

CDDRV_Installer

Conexant D850 56K V.9x DFVc Modem

Creative System Information

Curse Client

Definition update for Microsoft Office 2010 (KB982726)

DJ_AIO_Software_min

Dropbox

Finale NotePad 2011

Game Booster

Google Chrome

Google Update Helper

Grand Theft Auto

HashCheck Shell Extension (x86-32)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Deskjet All-In-One Software 9.0

HP Photo and Imaging 2.0 - All-in-One

HP Photo and Imaging 2.0 - All-in-One Drivers

Intel® Extreme Graphics Driver

Java Auto Updater

Java 6 Update 24

K-Lite Codec Pack 5.6.1 (Basic)

KhalInstallWrapper

LiveUpdate 3.3 (Symantec Corporation)

Logitech SetPoint

LogMeIn Hamachi

Malwarebytes' Anti-Malware

Mayflash Wii Classic Controller Box

Megaman X5

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 14

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable - KB2467175

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft WinUsb 1.0

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

Nexon Game Manager

Notation Player 2.5.2

Notepad++

NTREGOPT 1.1j

NVIDIA Drivers

Pando Media Booster

PdaNet for Android 2.45

Picasa 3

QuickTime

Ralink Wireless LAN

Revo Uninstaller 1.92

Scan

ScreenPrint32 v3.5

SDFormatter

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft Excel 2010 (KB2466146)

Security Update for Microsoft Office 2010 (KB2289078)

Security Update for Microsoft Office 2010 (KB2289161)

Security Update for Microsoft PowerPoint 2010 (KB2519975)

Security Update for Microsoft Publisher 2010 (KB2409055)

Security Update for Microsoft Word 2010 (KB2345000)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2183461)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360131)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2416400)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2482017)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2497640)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Sid Meier's Civilization 4

Skype Toolbars

Skype

Link to post
Share on other sites

Looking over your log it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer

Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. We'll download a free one in the post to come. For now please do the following:

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Okay, it finished. Here's the log it generated:

ComboFix 11-05-09.02 - Administrator 05/09/2011 19:11:36.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1551 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Application Data\Guiqy\wyerd.exe

c:\documents and settings\Administrator\WINDOWS

c:\windows\system32\AutoRun.inf

c:\windows\system32\Data

c:\windows\system32\msconfig.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))

.

.

2011-05-03 02:03 . 2001-08-18 09:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-03 02:03 . 2008-04-14 16:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-05-01 23:25 . 2011-05-01 23:25 -------- d-----w- c:\program files\VS Revo Group

2011-05-01 23:01 . 2011-05-01 23:01 -------- d-----w- c:\program files\NT Registry Optimizer

2011-04-28 22:43 . 2011-04-28 22:43 -------- d-----w- c:\program files\TeamViewer

2011-04-28 02:13 . 2011-04-28 22:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer

2011-04-27 01:51 . 2011-05-10 00:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn Hamachi

2011-04-27 01:51 . 2011-05-09 22:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi

2011-04-27 01:50 . 2011-04-27 01:50 -------- d-----w- c:\program files\LogMeIn Hamachi

2011-04-26 01:30 . 2011-04-26 01:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2011-04-26 01:30 . 2011-04-26 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras

2011-04-26 01:19 . 2011-04-26 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2011-04-26 01:13 . 2011-04-26 01:13 21376 ----a-w- c:\windows\system32\drivers\droidcam.sys

2011-04-26 01:13 . 2011-04-26 01:13 -------- d-----w- c:\program files\DroidCam

2011-04-26 00:58 . 2011-04-26 00:58 -------- d-----w- c:\program files\Common Files\Skype

2011-04-26 00:58 . 2011-04-26 00:59 -------- d-----r- c:\program files\Skype

2011-04-26 00:57 . 2011-04-26 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2011-04-20 00:48 . 2011-04-20 00:48 -------- d-----w- c:\program files\Android Notifier Desktop

2011-04-19 23:14 . 2011-04-20 05:05 -------- d-----w- c:\program files\INVedit

2011-04-16 22:28 . 2011-05-10 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\.minecraft

2011-04-13 10:52 . 2011-03-04 06:45 512000 ------w- c:\windows\system32\dllcache\jscript.dll

2011-04-13 10:52 . 2008-10-16 14:43 138496 ------w- c:\windows\system32\dllcache\afd.sys

2011-04-13 10:52 . 2011-03-03 06:55 149504 ------w- c:\windows\system32\dllcache\dnsapi.dll

2011-04-13 10:52 . 2009-04-20 17:17 45568 ------w- c:\windows\system32\dllcache\dnsrslvr.dll

2011-04-13 10:52 . 2008-06-20 16:02 245248 ------w- c:\windows\system32\dllcache\mswsock.dll

2011-04-13 10:52 . 2008-06-20 11:51 361600 ------w- c:\windows\system32\dllcache\tcpip.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2009-12-26 05:44 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2009-12-14 04:31 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2010-12-15 09:13 1857920 ------w- c:\windows\system32\win32k.sys

2011-02-17 13:51 . 2009-12-14 04:31 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51 . 2009-12-14 04:31 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 13:51 . 2009-12-14 04:31 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:18 . 2009-12-14 04:31 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2009-12-14 04:31 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:37 . 2009-12-14 04:31 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32 . 2009-12-14 04:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2008-04-14 02:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2008-04-14 02:42 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-14 02:41 186880 ----a-w- c:\windows\system32\encdec.dll

.

.

------- Sigcheck -------

.

.

.

[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

.

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\regsvc.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"nwiz"="nwiz.exe" [2007-12-05 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2010-8-1 0]

Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2010-12-8 473616]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-6-29 805392]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk

backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]

2003-05-16 04:36 446464 ----a-w- c:\program files\ScreenPrint32 v3\ScreenPrint32.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"g:\\Games\\Civilization 4\\Civilization4.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"g:\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"g:\\World of Warcraft\\World of Warcraft\\Launcher.exe"=

"g:\\World of Warcraft\\World of Warcraft\\Blizzard Downloader.exe"=

"c:\\Program Files\\Minecraft\\Minecraft.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\android-notifier-desktop.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\DroidCam\\DroidCamApp.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\5KA1E6PW.MDD\\1DMA9AG2.ERN\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 4:13 PM 38144]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 3:41 PM 1242504]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 3:51 PM 23888]

R3 DroidCam;DroidCam Virtual Audio;c:\windows\system32\drivers\droidcam.sys [4/25/2011 8:13 PM 21376]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/2/2011 11:00 PM 102448]

R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [9/29/2010 9:15 PM 13312]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 3:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2010 11:04 PM 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2010 11:04 PM 135664]

S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\drivers\Maypro.sys [12/29/2010 8:35 PM 11904]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 11:37 PM 4640000]

S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 6:02 PM 341504]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 3:16 PM 753504]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/27/2009 1:22 AM 691696]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - ERASERUTILDRV11110

*Deregistered* - EraserUtilDrv11110

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 04:04]

.

2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 04:04]

.

2011-05-02 c:\windows\Tasks\SmartDefrag.job

- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-12-21 00:08]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

Trusted Zone: aol.com\free

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-{51CD0364-77F4-5697-AC0D-FDC3663EB728} - c:\documents and settings\Administrator\Application Data\Guiqy\wyerd.exe

SafeBoot-Symantec Antvirus

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-09 19:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1504)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

.

Completion time: 2011-05-09 19:19:37

ComboFix-quarantined-files.txt 2011-05-10 00:19

.

Pre-Run: 16,897,773,568 bytes free

Post-Run: 16,901,767,168 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

.

- - End Of File - - CCBB6A5EC00AE2A4CB5FCAC976044690

Link to post
Share on other sites

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KillAll::
MIA::
c:\windows\System32\wscntfy.exe
c:\windows\System32\regsvc.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KillAll::
MIA::
c:\windows\System32\wscntfy.exe
c:\windows\System32\regsvc.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

My computer never restarted after using ComboFix the first time, should I do that first?

Link to post
Share on other sites

Sorry to interrupt.

Can you please zip the c:\qoobox folder and send me that zip? We should have removed this easily and i would like to see why. You can send in a PM or submit it in a new post in the malware submission forum.

Thanks!

Certainly, Ill PM you a Dropbox link.

Link to post
Share on other sites

Yes restart ComboFix and post the log please. By the way, thank you again for your help with that file.... :)

Wait, Im still confused. Ive only run ComboFix that first time you told me to, but My computer never restarted. Should I restart it before running the CFScript.txt?

Link to post
Share on other sites

Just helping out.. Its not necessary to reboot. Combofix won't reboot every time depending on what infections are present. Its ok to continue with the script and instructions.

Okay, thank you! I just want to make sure that all of my bases are covered, so to speak. Ill run the CFScript right now.

Link to post
Share on other sites

Alright, the script finished running, and it rebooted my computer. Here's the log:

ComboFix 11-05-09.02 - Administrator 05/09/2011 20:08:43.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1505 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\System32\wscntfy.exe . . . is missing!!

.

c:\windows\System32\regsvc.dll . . . is missing!!

.

.

((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))

.

.

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\windows\system32\xircom

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\windows\system32\wbem\snmp

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\windows\srchasst

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\windows\msagent

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\program files\microsoft frontpage

2011-05-03 02:03 . 2001-08-18 09:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-03 02:03 . 2008-04-14 16:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-05-01 23:25 . 2011-05-01 23:25 -------- d-----w- c:\program files\VS Revo Group

2011-05-01 23:01 . 2011-05-01 23:01 -------- d-----w- c:\program files\NT Registry Optimizer

2011-04-28 22:43 . 2011-04-28 22:43 -------- d-----w- c:\program files\TeamViewer

2011-04-28 02:13 . 2011-04-28 22:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer

2011-04-27 01:51 . 2011-05-10 01:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn Hamachi

2011-04-27 01:51 . 2011-05-10 01:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi

2011-04-27 01:50 . 2011-04-27 01:50 -------- d-----w- c:\program files\LogMeIn Hamachi

2011-04-26 01:30 . 2011-04-26 01:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2011-04-26 01:30 . 2011-04-26 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras

2011-04-26 01:19 . 2011-04-26 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2011-04-26 01:13 . 2011-04-26 01:13 21376 ----a-w- c:\windows\system32\drivers\droidcam.sys

2011-04-26 01:13 . 2011-04-26 01:13 -------- d-----w- c:\program files\DroidCam

2011-04-26 00:58 . 2011-04-26 00:58 -------- d-----w- c:\program files\Common Files\Skype

2011-04-26 00:58 . 2011-04-26 00:59 -------- d-----r- c:\program files\Skype

2011-04-26 00:57 . 2011-04-26 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2011-04-20 00:48 . 2011-04-20 00:48 -------- d-----w- c:\program files\Android Notifier Desktop

2011-04-19 23:14 . 2011-04-20 05:05 -------- d-----w- c:\program files\INVedit

2011-04-16 22:28 . 2011-05-10 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\.minecraft

2011-04-13 10:52 . 2011-03-04 06:45 512000 ------w- c:\windows\system32\dllcache\jscript.dll

2011-04-13 10:52 . 2008-10-16 14:43 138496 ------w- c:\windows\system32\dllcache\afd.sys

2011-04-13 10:52 . 2011-03-03 06:55 149504 ------w- c:\windows\system32\dllcache\dnsapi.dll

2011-04-13 10:52 . 2009-04-20 17:17 45568 ------w- c:\windows\system32\dllcache\dnsrslvr.dll

2011-04-13 10:52 . 2008-06-20 16:02 245248 ------w- c:\windows\system32\dllcache\mswsock.dll

2011-04-13 10:52 . 2008-06-20 11:51 361600 ------w- c:\windows\system32\dllcache\tcpip.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2009-12-26 05:44 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2009-12-14 04:31 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2010-12-15 09:13 1857920 ------w- c:\windows\system32\win32k.sys

2011-02-17 13:51 . 2009-12-14 04:31 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51 . 2009-12-14 04:31 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 13:51 . 2009-12-14 04:31 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:18 . 2009-12-14 04:31 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2009-12-14 04:31 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:37 . 2009-12-14 04:31 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32 . 2009-12-14 04:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2008-04-14 02:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2008-04-14 02:42 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-14 02:41 186880 ----a-w- c:\windows\system32\encdec.dll

.

.

------- Sigcheck -------

.

.

.

[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

.

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\regsvc.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"nwiz"="nwiz.exe" [2007-12-05 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2010-8-1 0]

Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2010-12-8 473616]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-6-29 805392]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk

backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]

2003-05-16 04:36 446464 ----a-w- c:\program files\ScreenPrint32 v3\ScreenPrint32.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"g:\\Games\\Civilization 4\\Civilization4.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"g:\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"g:\\World of Warcraft\\World of Warcraft\\Launcher.exe"=

"g:\\World of Warcraft\\World of Warcraft\\Blizzard Downloader.exe"=

"c:\\Program Files\\Minecraft\\Minecraft.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\android-notifier-desktop.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\DroidCam\\DroidCamApp.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\5KA1E6PW.MDD\\1DMA9AG2.ERN\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 4:13 PM 38144]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 3:41 PM 1242504]

R3 DroidCam;DroidCam Virtual Audio;c:\windows\system32\drivers\droidcam.sys [4/25/2011 8:13 PM 21376]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/9/2011 3:00 AM 105592]

R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [9/29/2010 9:15 PM 13312]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 3:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2010 11:04 PM 135664]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 3:51 PM 23888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2010 11:04 PM 135664]

S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\drivers\Maypro.sys [12/29/2010 8:35 PM 11904]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 11:37 PM 4640000]

S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 6:02 PM 341504]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 3:16 PM 753504]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/27/2009 1:22 AM 691696]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 04:04]

.

2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 04:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

Trusted Zone: aol.com\free

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-09 20:19

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1504)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

.

- - - - - - - > 'explorer.exe'(2008)

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\progra~1\WINDOW~2\wmpband.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Google\Update\1.3.21.53\GoogleCrashHandler.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2011-05-09 20:25:21 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-10 01:25

ComboFix2.txt 2011-05-10 00:19

.

Pre-Run: 16,906,092,544 bytes free

Post-Run: 16,903,876,608 bytes free

.

- - End Of File - - 5AE458A1726375905CD377B93FF93C0B

I suppose the next logical step would be a MBAM scan? I'll wait for the OK.

Link to post
Share on other sites

Yes we'll run Malwarebytes, but not now. Before I write the next script. Do you still play World of Warcraft(WOW) The reason why I ask, there's a open port and if you don't play I like to close it.

Well, I personally don't play it, but yes the game is still played occasionally.

Link to post
Share on other sites

My son plays World of Warcraft sometimes. What a money machine Blizzard has. Okay, smile we are getting closer. Good job you done there!

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Next

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

* Combofix.txt

* MBAM Log

Link to post
Share on other sites

ComboFix 11-05-09.02 - Administrator 05/09/2011 21:16:25.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1549 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

.

.

((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))

.

.

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\windows\system32\xircom

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\windows\system32\wbem\snmp

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\windows\srchasst

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\windows\msagent

2011-05-10 01:15 . 2011-05-10 01:15 -------- d-----w- c:\program files\microsoft frontpage

2011-05-03 02:03 . 2001-08-18 09:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-03 02:03 . 2008-04-14 16:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-05-01 23:25 . 2011-05-01 23:25 -------- d-----w- c:\program files\VS Revo Group

2011-05-01 23:01 . 2011-05-01 23:01 -------- d-----w- c:\program files\NT Registry Optimizer

2011-04-28 22:43 . 2011-04-28 22:43 -------- d-----w- c:\program files\TeamViewer

2011-04-28 02:13 . 2011-04-28 22:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer

2011-04-27 01:51 . 2011-05-10 02:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn Hamachi

2011-04-27 01:51 . 2011-05-10 02:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi

2011-04-27 01:50 . 2011-04-27 01:50 -------- d-----w- c:\program files\LogMeIn Hamachi

2011-04-26 01:30 . 2011-04-26 01:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2011-04-26 01:30 . 2011-04-26 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras

2011-04-26 01:19 . 2011-04-26 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2011-04-26 01:13 . 2011-04-26 01:13 21376 ----a-w- c:\windows\system32\drivers\droidcam.sys

2011-04-26 01:13 . 2011-04-26 01:13 -------- d-----w- c:\program files\DroidCam

2011-04-26 00:58 . 2011-04-26 00:58 -------- d-----w- c:\program files\Common Files\Skype

2011-04-26 00:58 . 2011-04-26 00:59 -------- d-----r- c:\program files\Skype

2011-04-26 00:57 . 2011-04-26 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2011-04-20 00:48 . 2011-04-20 00:48 -------- d-----w- c:\program files\Android Notifier Desktop

2011-04-19 23:14 . 2011-04-20 05:05 -------- d-----w- c:\program files\INVedit

2011-04-16 22:28 . 2011-05-10 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\.minecraft

2011-04-13 10:52 . 2011-03-04 06:45 512000 ------w- c:\windows\system32\dllcache\jscript.dll

2011-04-13 10:52 . 2008-10-16 14:43 138496 ------w- c:\windows\system32\dllcache\afd.sys

2011-04-13 10:52 . 2011-03-03 06:55 149504 ------w- c:\windows\system32\dllcache\dnsapi.dll

2011-04-13 10:52 . 2009-04-20 17:17 45568 ------w- c:\windows\system32\dllcache\dnsrslvr.dll

2011-04-13 10:52 . 2008-06-20 16:02 245248 ------w- c:\windows\system32\dllcache\mswsock.dll

2011-04-13 10:52 . 2008-06-20 11:51 361600 ------w- c:\windows\system32\dllcache\tcpip.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2009-12-26 05:44 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2009-12-14 04:31 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2010-12-15 09:13 1857920 ------w- c:\windows\system32\win32k.sys

2011-02-17 13:51 . 2009-12-14 04:31 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51 . 2009-12-14 04:31 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 13:51 . 2009-12-14 04:31 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:18 . 2009-12-14 04:31 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2009-12-14 04:31 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:37 . 2009-12-14 04:31 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32 . 2009-12-14 04:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2008-04-14 02:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2008-04-14 02:42 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-14 02:41 186880 ----a-w- c:\windows\system32\encdec.dll

.

.

------- Sigcheck -------

.

.

.

[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

.

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\regsvc.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"nwiz"="nwiz.exe" [2007-12-05 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2010-8-1 0]

Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2010-12-8 473616]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-6-29 805392]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk

backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]

2003-05-16 04:36 446464 ----a-w- c:\program files\ScreenPrint32 v3\ScreenPrint32.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"g:\\Games\\Civilization 4\\Civilization4.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"g:\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"g:\\World of Warcraft\\World of Warcraft\\Launcher.exe"=

"g:\\World of Warcraft\\World of Warcraft\\Blizzard Downloader.exe"=

"c:\\Program Files\\Minecraft\\Minecraft.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\android-notifier-desktop.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\DroidCam\\DroidCamApp.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\5KA1E6PW.MDD\\1DMA9AG2.ERN\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 4:13 PM 38144]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/28/2011 3:41 PM 1242504]

R3 DroidCam;DroidCam Virtual Audio;c:\windows\system32\drivers\droidcam.sys [4/25/2011 8:13 PM 21376]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/9/2011 3:00 AM 105592]

R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [9/29/2010 9:15 PM 13312]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 3:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2010 11:04 PM 135664]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 3:51 PM 23888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2010 11:04 PM 135664]

S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\drivers\Maypro.sys [12/29/2010 8:35 PM 11904]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 11:37 PM 4640000]

S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 6:02 PM 341504]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 3:16 PM 753504]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/27/2009 1:22 AM 691696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 04:04]

.

2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 04:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

Trusted Zone: aol.com\free

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-09 21:27

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1504)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

.

- - - - - - - > 'explorer.exe'(2176)

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\progra~1\WINDOW~2\wmpband.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Google\Update\1.3.21.53\GoogleCrashHandler.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

.

**************************************************************************

.

Completion time: 2011-05-09 21:35:17 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-10 02:35

ComboFix2.txt 2011-05-10 01:25

ComboFix3.txt 2011-05-10 00:19

.

Pre-Run: 16,905,871,360 bytes free

Post-Run: 16,897,150,976 bytes free

.

- - End Of File - - A16C58611D7521FD600714A855C5A760

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6542

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/9/2011 9:42:21 PM

mbam-log-2011-05-09 (21-42-21).txt

Scan type: Quick scan

Objects scanned: 141063

Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Looks much better! As for anti-virus software, I use Free Avira AntiVir, We'll talk about this and to install the recent service packs form Microsoft Windows, to replace those missing files that show in your ComboFix log. For now, please do the following.

Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Looks much better! As for anti-virus software, I use Free Avira AntiVir, We'll talk about this and to install the recent service packs form Microsoft Windows, to replace those missing files that show in your ComboFix log. For now, please do the following.

Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Okay, Ill do that. Internet Explorer was being... odd when I was trying to do it, but it's probably because I never use it and it's outdated. It was just not loading for some reason and trying to install the ActiveX thing told me that I had to refresh the page. I'm sure it's nothing, Ill download it with Chrome and post the results.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.