Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Alureon Infection [Solved]

Started by ZLynx , May 16 2010 10:42 AM

  • This topic is locked This topic is locked

#46
ZLynx
Posted 25 May 2010 - 07:22 AM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Well ive got some bad news i think,
After you first asked me to do the scan I tried running the program a couple times in normal mode, got a blue screen twice. So, yesterday morning I booted in safe mode and ran the scan there. Everything was going fine (12+ hours of scan time) and then once it finished I went to save the results, and BAM, blue screen.

So I dont have results of the Dr. Web scan. Would you like me to run it again? As I recall there was one incurable file. I dont remember the name however, but it was different from all the "releaseengineer" files.

Let me know. And also did you want me to run an OTL scan? You mentioned something about posting a new OTL log. I wasn't clear on that from the last sentence of your last post.
  • 0

Advertisements

#47
SweetTech
Posted 25 May 2010 - 09:59 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Could you please attempt to run a new scan with Dr. Web. I'd like for you to delete the copy you have and download a fresh version from one of the links previously provided. If at all possible could you please write down any infections it find on a piece of paper. Making sure you note where the file location is as well as what it is being detected as?
  • 0

#48
ZLynx
Posted 25 May 2010 - 09:19 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Yup Ill get that started right away, hopefully its done by tomorrow morning before I head to work
  • 0

#49
SweetTech
Posted 26 May 2010 - 10:11 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
:)
  • 0

#50
ZLynx
Posted 29 May 2010 - 11:10 AM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ok well it crashed again, but i took screenshots of the results before the crash. The file names are fairly long lol.

#1. FileListe1.vbe C:\Documents and Settings\Stu\DoctorWeb\Quarantine Modification of vbs.generic.398 Moved
#2. FileListe0.vbe C:\Documents and Settings\Stu\DoctorWeb\Quarantine Modification of vbs.generic.398 Moved
#3. {A554CC7A-50BD-4D67-9366-E2612179D8F90.QBD C:\Documents and Settings\Stu\DoctorWeb\Quarantine Trojan.DownLoad1.58684 Moved
#4. {89AA56B6-BFBF-4959-80A4-A7DD9A51AEC30.QBD C:\Documents and Settings\Stu\DoctorWeb\Quarantine Trojan.DownLoad1.58684 Moved
#5. {2918FC7D-7001-478E-9AFC-D9ECE9FD13FA.QBD C:\Documents and Settings\Stu\DoctorWeb\Quarantine Trojan.DownLoad1.58684 Moved
#6. 11660962-5D2A-4010-9CE6-6222B462EE220.QBD C:\Documents and Settings\Stu\DoctorWeb\Quarantine Trojan.DownLoad1.58684 Moved

#5 was also found in C:\Documents and Settings\AllUsers\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\QBackup\{CE986011-C049-41B9-9294-EC2CF2C60D6}
  • 0

#51
ZLynx
Posted 29 May 2010 - 11:11 AM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Also, the first time I ran it it found a backdoor virus named pci.sys.vir (Backdoor.Tidserv.I!inf) but didnt pick it up again on the next scan.

Edited by ZLynx, 29 May 2010 - 11:13 AM.

  • 0

#52
SweetTech
Posted 29 May 2010 - 11:13 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Could you do me a favor and do a new scan with ComboFix. IF it prompts you to update your version please allow it to do so.
  • 0

#53
ZLynx
Posted 29 May 2010 - 11:59 AM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix 10-05-28.08 - Stu 05/29/2010 11:33:06.8.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1526.712 [GMT -6:00]
Running from: c:\users\Stu\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\sdra73.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
.

2010-05-29 17:44 . 2010-05-29 17:44 -------- d-----w- c:\users\Stu\AppData\Local\temp
2010-05-29 17:44 . 2010-05-29 17:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-29 17:44 . 2010-05-29 17:44 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-29 17:44 . 2010-05-29 17:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-26 11:01 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-23 22:05 . 2010-05-24 12:45 -------- d-----w- c:\users\Stu\DoctorWeb
2010-05-21 15:50 . 2010-05-29 17:33 -------- d-----w- c:\users\Stu\AppData\Local\CrashDumps
2010-05-18 18:53 . 2010-05-18 18:53 -------- d-----w- c:\users\Stu\Office Genuine Advantage
2010-05-18 17:17 . 2010-05-18 17:17 -------- d-----w- c:\users\Stu\AppData\Local\Yahoo!
2010-05-17 20:13 . 2010-05-17 20:13 -------- d-----w- c:\program files\Foxit Software
2010-05-16 20:25 . 2010-05-16 20:25 -------- d-----w- c:\program files\ESET
2010-05-16 19:28 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 17:30 . 2010-05-16 17:30 -------- d-----w- C:\_OTL
2010-05-15 19:16 . 2010-05-15 19:16 -------- d-----w- c:\program files\ERUNT
2010-05-12 21:39 . 2010-05-15 19:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 09:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 20:01 . 2010-05-10 20:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-04 23:40 . 2010-05-06 16:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:59 . 2010-05-04 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 18:50 . 2010-05-04 18:51 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 17:28 . 2009-08-11 05:03 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-28 17:53 . 2009-08-11 05:03 -------- d-----w- c:\users\Stu\AppData\Roaming\Metacafe
2010-05-25 12:32 . 2009-02-24 05:40 6756 ----a-w- c:\users\Stu\AppData\Local\d3d9caps.dat
2010-05-17 20:11 . 2008-03-19 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 20:08 . 2008-01-23 03:35 -------- d-----w- c:\program files\Java
2010-05-16 19:28 . 2008-01-23 03:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 18:57 . 2009-03-24 03:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-16 18:57 . 2009-03-24 03:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-16 18:57 . 2009-03-24 03:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-16 18:57 . 2009-03-24 03:56 -------- d-----w- c:\program files\Symantec
2010-05-16 07:18 . 2010-04-28 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 18:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 01:21 . 2007-12-29 05:17 140608 ----a-w- c:\users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 19:45 . 2008-03-03 19:00 -------- d-----w- c:\program files\Microsoft Works
2010-05-04 19:29 . 2008-09-10 20:17 -------- d-----w- c:\program files\iWin Games
2010-04-30 16:20 . 2008-01-23 03:39 -------- d-----w- c:\users\Stu\AppData\Roaming\LimeWire
2010-04-29 21:39 . 2010-04-28 18:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2010-04-28 18:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 18:43 . 2010-04-28 18:43 -------- d-----w- c:\users\Stu\AppData\Roaming\Malwarebytes
2010-04-27 00:48 . 2010-04-26 23:33 256 ----a-w- c:\windows\system32\pool.bin
2010-04-26 23:50 . 2010-04-26 23:50 -------- d-----w- c:\users\Stu\AppData\Roaming\Roxio
2010-04-26 23:33 . 2010-04-26 23:33 -------- d-----w- c:\users\Stu\AppData\Roaming\Research In Motion
2010-04-26 23:02 . 2010-04-26 23:00 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-26 23:02 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-26 23:02 . 2010-04-26 23:01 -------- d-----w- c:\program files\Roxio
2010-04-26 23:01 . 2010-04-26 23:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-26 23:01 . 2007-08-02 09:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-26 22:42 . 2010-04-26 22:41 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-26 22:41 . 2010-04-26 22:41 -------- d-----w- c:\program files\Research In Motion
2010-04-21 18:04 . 2010-04-21 18:04 -------- d-----w- c:\program files\NOS
2010-03-09 16:25 . 2010-04-23 16:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-04-23 16:50 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-08 01:05 . 2010-03-08 01:05 64505 ----a-w- c:\users\Stu\AppData\Roaming\NeuLion\AdaptivePlugin\uninst.exe
2010-03-04 17:33 . 2010-04-23 16:50 430080 ----a-w- c:\windows\system32\vbscript.dll
2008-06-30 19:44 . 2008-08-31 08:42 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1739776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-12 846344]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-22 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-23 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):39,0a,fc,b0,44,39,ca,01

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe [2008-09-29 415744]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\System32\Drivers\OCDE.sys [2007-08-26 30480]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100520.001\IDSvix86.sys [2009-10-28 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-24 22:15]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-28 c:\windows\Tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
- c:\windows\system32\msfeedssync.exe [2008-08-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 11:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-29 11:51:24
ComboFix-quarantined-files.txt 2010-05-29 17:51
ComboFix2.txt 2010-05-23 19:02
ComboFix3.txt 2010-05-19 00:37
ComboFix4.txt 2010-05-18 02:20
ComboFix5.txt 2010-05-29 17:20

Pre-Run: 1,397,792,768 bytes free
Post-Run: 1,183,780,864 bytes free

- - End Of File - - B1B5A390DE402D2EFE0A70B9A35527F3
  • 0

#54
SweetTech
Posted 29 May 2010 - 12:07 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

WINDOWS DEFENDER
  • Click Start > Programs > Windows Defender or launch from the system tray icon.
  • Click on Tools & Settings > Options.
  • Under Real-time protection options, uncheck the "Real-time protection" check box.
  • Click Save.
  • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options " use Windows Defender" and then Save.
  • (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)


ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Suspect::[100]
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\64dlls.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\intel64.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\localsys64.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\ntos.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\oembios.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\sdra64.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\sdra73.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\swin32.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\twex.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\twext.exe.vir
C:\Qoobox\Quarantine\c\documents and settings\releaseengineer\Application Data\wsnpoema.exe.vir

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Edited by SweetTech, 31 May 2010 - 08:54 AM.

  • 0

#55
SweetTech
Posted 03 June 2010 - 02:36 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Are you still with me?
  • 0

Advertisements

#56
ZLynx
Posted 03 June 2010 - 02:44 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Yes I am sorry about that.
Where does combofix store the logs it produces? I forgot to save it manually to my desktop so i cant find it.
Heres the Security check log.
Results of screen317's Security Check version 0.99.4
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
Java™ 6 Update 20
Java™ 6 Update 4
Java™ 6 Update 5
Out of date Java installed!
Adobe Flash Player 10.0.32.18
Chinese Simplified Fonts Support For Adobe Reader 9
Mozilla Firefox (3.6.3)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Empowering Technology eSettings Service capuserv.exe
````````````````````````````````
DNS Vulnerability Check:

``````````End of Log````````````
  • 0

#57
SweetTech
Posted 03 June 2010 - 02:46 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Locating ComboFix Log
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Look for ComboFix.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.
  • 0

#58
ZLynx
Posted 03 June 2010 - 02:49 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Found it! :)

ComboFix 10-05-28.08 - Stu 06/02/2010 22:48:26.9.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1526.693 [GMT -6:00]
Running from: c:\users\Stu\Desktop\ComboFix.exe
Command switches used :: c:\users\Stu\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\sdra73.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-03 05:03 . 2010-06-03 05:05 -------- d-----w- c:\users\Stu\AppData\Local\temp
2010-06-03 05:03 . 2010-06-03 05:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-03 05:03 . 2010-06-03 05:03 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-03 05:03 . 2010-06-03 05:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-03 04:33 . 2010-06-03 04:34 -------- d-----w- C:\32788R22FWJFW
2010-05-26 11:01 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-23 22:05 . 2010-05-24 12:45 -------- d-----w- c:\users\Stu\DoctorWeb
2010-05-21 15:50 . 2010-05-29 17:33 -------- d-----w- c:\users\Stu\AppData\Local\CrashDumps
2010-05-18 18:53 . 2010-05-18 18:53 -------- d-----w- c:\users\Stu\Office Genuine Advantage
2010-05-18 17:17 . 2010-05-18 17:17 -------- d-----w- c:\users\Stu\AppData\Local\Yahoo!
2010-05-17 20:13 . 2010-05-17 20:13 -------- d-----w- c:\program files\Foxit Software
2010-05-16 20:25 . 2010-05-16 20:25 -------- d-----w- c:\program files\ESET
2010-05-16 19:28 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 17:30 . 2010-05-16 17:30 -------- d-----w- C:\_OTL
2010-05-15 19:16 . 2010-05-15 19:16 -------- d-----w- c:\program files\ERUNT
2010-05-12 21:39 . 2010-05-15 19:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 09:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 20:01 . 2010-05-10 20:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-04 23:40 . 2010-05-06 16:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:59 . 2010-05-04 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 18:50 . 2010-05-04 18:51 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 05:07 . 2009-08-11 05:03 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-03 03:49 . 2007-08-02 09:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-28 17:53 . 2009-08-11 05:03 -------- d-----w- c:\users\Stu\AppData\Roaming\Metacafe
2010-05-25 12:32 . 2009-02-24 05:40 6756 ----a-w- c:\users\Stu\AppData\Local\d3d9caps.dat
2010-05-17 20:11 . 2008-03-19 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 20:08 . 2008-01-23 03:35 -------- d-----w- c:\program files\Java
2010-05-16 19:28 . 2008-01-23 03:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 18:57 . 2009-03-24 03:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-16 18:57 . 2009-03-24 03:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-16 18:57 . 2009-03-24 03:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-16 18:57 . 2009-03-24 03:56 -------- d-----w- c:\program files\Symantec
2010-05-16 07:18 . 2010-04-28 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 18:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 01:21 . 2007-12-29 05:17 140608 ----a-w- c:\users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 19:45 . 2008-03-03 19:00 -------- d-----w- c:\program files\Microsoft Works
2010-05-04 19:29 . 2008-09-10 20:17 -------- d-----w- c:\program files\iWin Games
2010-04-30 16:20 . 2008-01-23 03:39 -------- d-----w- c:\users\Stu\AppData\Roaming\LimeWire
2010-04-29 21:39 . 2010-04-28 18:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2010-04-28 18:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 18:43 . 2010-04-28 18:43 -------- d-----w- c:\users\Stu\AppData\Roaming\Malwarebytes
2010-04-27 00:48 . 2010-04-26 23:33 256 ----a-w- c:\windows\system32\pool.bin
2010-04-26 23:50 . 2010-04-26 23:50 -------- d-----w- c:\users\Stu\AppData\Roaming\Roxio
2010-04-26 23:33 . 2010-04-26 23:33 -------- d-----w- c:\users\Stu\AppData\Roaming\Research In Motion
2010-04-26 23:02 . 2010-04-26 23:00 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-26 23:02 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-26 23:02 . 2010-04-26 23:01 -------- d-----w- c:\program files\Roxio
2010-04-26 23:01 . 2010-04-26 23:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-26 23:01 . 2007-08-02 09:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-26 22:42 . 2010-04-26 22:41 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-26 22:41 . 2010-04-26 22:41 -------- d-----w- c:\program files\Research In Motion
2010-04-21 18:04 . 2010-04-21 18:04 -------- d-----w- c:\program files\NOS
2010-03-09 16:25 . 2010-04-23 16:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-04-23 16:50 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-08 01:05 . 2010-03-08 01:05 64505 ----a-w- c:\users\Stu\AppData\Roaming\NeuLion\AdaptivePlugin\uninst.exe
2008-06-30 19:44 . 2008-08-31 08:42 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1739776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-12 846344]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-22 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-23 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):39,0a,fc,b0,44,39,ca,01

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\System32\Drivers\OCDE.sys [2007-08-26 30480]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100528.003\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe [2008-09-29 415744]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-24 22:15]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-06-02 c:\windows\Tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
- c:\windows\system32\msfeedssync.exe [2008-08-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 23:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5600)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\acer\Mobility Center\MobilityService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\DllHost.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\users\Stu\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-02 23:15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 05:15
ComboFix2.txt 2010-05-29 17:51
ComboFix3.txt 2010-05-23 19:02
ComboFix4.txt 2010-05-19 00:37
ComboFix5.txt 2010-06-03 04:31

Pre-Run: 798,715,904 bytes free
Post-Run: 1,203,666,944 bytes free

- - End Of File - - 61FE91A04D25EB867D124381821C3594
  • 0

#59
SweetTech
Posted 03 June 2010 - 02:53 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Download and run OTM

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the Posted Image area. Do not include the word Code.
    :Files
c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\sdra73.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[start explorer]
[Reboot]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  • 0

#60
ZLynx
Posted 03 June 2010 - 03:17 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
OTM actually brings up the log on restart so I didnt have to find it.

All processes killed
========== FILES ==========
File/Folder c:\documents and settings\releaseengineer\Application Data\64dlls.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\intel64.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\localsys64.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\ntos.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\oembios.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\sdra64.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\sdra73.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\swin32.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\twex.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\twext.exe not found.
File/Folder c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Stu
->Temp folder emptied: 40880064 bytes
->Java cache emptied: 12142718 bytes
->FireFox cache emptied: 86028203 bytes
->Google Chrome cache emptied: 16516215 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 264 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 673600 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 149.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06032010_145824

Files moved on Reboot...
File move failed. C:\Windows\temp\CLML_AGENT_LOG1.txt scheduled to be moved on reboot.
File C:\Windows\temp\sqlite_NYphbei0PNtS33g not found!

Registry entries deleted on Reboot...
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP