[SweetTech]

Hi!

Please run this utility:


Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

[Advertisements]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-27 13:55:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.GIB\LOCALS~1\Temp\kxtdrpoc.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272111972
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272111972 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\CFEF35I4.txt 920 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\MS3QAJ2U.txt 0 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\NRF6LNW3.txt 0 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Local Settings\Temporary Internet Files\Content.IE5\F04ZM3PL\GetAdDirector_BannerCreative[1].htm 3785 bytes

---- EOF - GMER 1.0.15 ----

[Matasovsky]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-27 13:55:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.GIB\LOCALS~1\Temp\kxtdrpoc.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272111972
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272111972 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\CFEF35I4.txt 920 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\MS3QAJ2U.txt 0 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\NRF6LNW3.txt 0 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Local Settings\Temporary Internet Files\Content.IE5\F04ZM3PL\GetAdDirector_BannerCreative[1].htm 3785 bytes

---- EOF - GMER 1.0.15 ----

[SweetTech]

Hi!

It looks like you posted a GMER log. Do you happen to have the ComboFix log for me to review?

[Matasovsky]

ComboFix 11-10-27.05 - Administrator 10/28/2011 13:00:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.506 [GMT -4:00]
Running from: c:\documents and settings\administrator.GIBRALTARDESIGN\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\dwagner\My Documents\prf2B.tmp
c:\documents and settings\dwagner\My Documents\prf6FD.tmp
c:\documents and settings\hheaddy\Application Data\inst.exe
c:\documents and settings\mmatasovsky\Application Data\desktop.ini
c:\documents and settings\mmatasovsky\Application Data\ntuser.dat
c:\documents and settings\mmatasovsky\Application Data\xssend2
c:\documents and settings\mmatasovsky\GoToAssistDownloadHelper.exe
c:\documents and settings\mmatasovsky\My Documents\DPE.DUS
c:\program files\messenger\msmsgsin.exe
c:\program files\msn\msncorefiles\copymar.exe
c:\program files\msn\msncorefiles\custdial.dll
c:\program files\msn\msncorefiles\logonmgr.dll
C:\Thumbs.db
c:\windows\ehome\medctrro.exe
c:\windows\ehome\snchk.exe
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\d3d9caps.dat
c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-28 )))))))))))))))))))))))))))))))
.
.
2011-10-28 13:07 . 2011-10-28 13:07 -------- d-----w- c:\windows\LastGood
2011-10-26 15:21 . 2011-10-26 15:21 -------- d-----w- C:\_OTL
2011-10-26 15:17 . 2011-10-26 15:20 -------- d-----w- c:\documents and settings\administrator.GIBRALTARDESIGN\Local Settings\Application Data\Adobe
2011-10-25 18:59 . 2011-10-25 18:59 -------- d-sh--w- c:\documents and settings\administrator.GIBRALTARDESIGN\PrivacIE
2011-10-25 18:59 . 2011-10-26 18:19 -------- d-----w- c:\documents and settings\administrator.GIBRALTARDESIGN\Local Settings\Application Data\Google
2011-10-18 15:57 . 2011-10-18 16:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-10-18 15:57 . 2011-10-18 16:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-10-18 15:51 . 2011-10-18 15:51 -------- d-----w- c:\program files\CCleaner
2011-10-13 18:18 . 2011-10-13 18:18 -------- d-----w- c:\program files\IIS Express
2011-10-11 20:28 . 2011-10-28 17:44 -------- d-----w- c:\documents and settings\mmatasovsky
2011-10-07 12:28 . 2011-10-07 12:28 -------- d-----w- c:\program files\UltraVNC
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\documents and settings\dwagner\Application Data\Malwarebytes
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-05 13:29 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-04 21:46 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-04 21:46 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-02-27 15:04 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-09-28 77824]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-08-13 165888]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-06-23 7393280]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2007-11-15 206216]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-11 115560]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-3 1537064]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-2-4 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoNTSecurity"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1017\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1017\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1018\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1018\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1019\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1019\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-1224\Scripts\Logoff\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-1224\Scripts\Logon\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logoff\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logon\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logoff\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logon\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-6620\Scripts\Logoff\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-6620\Scripts\Logon\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetALoader"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [11/14/2007 8:49 PM 660872]
R2 RSMWebServer;RSMWebServer;c:\program files\N-able Technologies\NRM\RSMWinService.exe [10/12/2011 3:25 PM 19968]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [4/30/2008 10:50 AM 213504]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [10/7/2011 8:28 AM 1830856]
R2 Windows Agent Maintenance Service;Windows Agent Maintenance Service;c:\program files\N-able Technologies\Windows Agent\bin\AgentMaint.exe [8/18/2011 7:21 PM 28672]
R2 Windows Agent Service;Windows Agent Service;c:\program files\N-able Technologies\Windows Agent\bin\agent.exe [8/18/2011 7:21 PM 204800]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/28/2011 5:53 PM 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 winrdp_service;winrdp_service;c:\program files\N-able Technologies\NRM\UltraVNCServer\winrdp.exe [10/12/2011 3:25 PM 1642496]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/23/2001 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-02-27 00:12]
.
2007-11-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 19:52]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 10.10.10.11 10.10.10.4
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SigmatelSysTrayApp - sttray.exe
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-28 13:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-368597260-1834286960-2103163636-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,ef,96,6a,d7,e6,4e,4f,a8,6c,b6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,ef,96,6a,d7,e6,4e,4f,a8,6c,b6,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2011-10-28 14:10:14
ComboFix-quarantined-files.txt 2011-10-28 18:09
.
Pre-Run: 10,493,296,640 bytes free
Post-Run: 11,338,915,840 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - E0D676E9F1FF1CC89D08CABD702F217B

[SweetTech]

Hi!

Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

• Open Malwarebytes' Anti-Malware
• Select the Update tab
• Click Check for Updates
• After the update have been completed, Select the Scanner tab.
• Select Perform quick scan, then click on Scan
• Leave the default options as it is and click on Start Scan
• When done, you will be prompted. Click OK, then click on Show Results
• Checked (ticked) all items and click on Remove Selected
• After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Make sure that the option "Remove found threats" is Unchecked
• When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
  
  • Enable Anti-Stealth technology
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin
  scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as
  ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

NEXT:



Security Check
Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[Matasovsky]

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8051

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/31/2011 4:04:02 PM
mbam-log-2011-10-31 (16-04-02).txt

Scan type: Quick scan
Objects scanned: 326258
Time elapsed: 15 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\2600 (Trojan.Agent) -> Value: 2600 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SweetTech]

[Matasovsky]

I've been getting an error message that is interupting the ESET Online Scanner. Message itself doesn't appear bogus, but is likely being caused by whatever is still roaming around on the workstation.

I'll document and post it next time it comes up.

Should I move on to Security Check? I'll wait for your reply and post the message I'm talking about if I don't hear from you first.

[SweetTech]

Nah, I'd like to see what this message is before we proceed with SecurityCheck.

[Matasovsky]

ESET SCAN LOG
---------------

C:\_OTL\MovedFiles\10262011_112104\C_Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe Win32/TrojanDownloader.Prodatect.BK trojan

[Matasovsky]

Checkup.txt
-------------
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
ESET Online Scanner v3
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player ( 10.0.22.87) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````

[Matasovsky]

Did find it interesting to have a Facebook log in window pop up in what appeared to be japanese, or korean,...

We have an internet software that is supposed to block that (SurfControl). Is it possible this was something taken out of the Registry back when we were asking about things there intentionally or not??

Or...it could be a symptom of the current issue.

[SweetTech]

Hi!

Thanks for posting those logs.

It's possible that something may have taken out that setting.

I think it maybe related to this file that was removed by ComboFix.

c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini

I'm going to ask that you post a log file for me.

I would also like to see a list of files quarantined by ComboFix, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Post the contents of that file in your next reply.

[Matasovsky]

2011-10-28 18:04:48 . 2011-10-28 18:04:48 582 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Symantec Antvirus.reg.dat
2011-10-28 18:00:51 . 2011-10-28 18:00:52 115 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SigmatelSysTrayApp.reg.dat
2011-10-28 17:35:09 . 2011-10-28 17:35:09 14,667 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-10-27 18:06:30 . 2011-10-27 18:06:31 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-10-11 20:32:42 . 2011-03-01 15:34:53 29,996 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\mmatasovsky\Application Data\ntuser.dat.vir
2011-10-11 20:31:14 . 2010-05-10 15:31:23 103,720 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\mmatasovsky\GoToAssistDownloadHelper.exe.vir
2011-10-11 20:30:25 . 2005-10-06 20:33:42 191 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\mmatasovsky\My Documents\DPE.DUS.vir
2011-08-01 11:20:08 . 2011-04-23 13:17:23 1,255,556,096 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\dwagner\My Documents\prf6FD.tmp.vir
2011-05-27 12:42:30 . 2009-07-09 20:48:55 873,612,288 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\dwagner\My Documents\prf2B.tmp.vir
2009-03-04 20:23:54 . 2009-03-04 20:23:54 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\hheaddy\Application Data\inst.exe.vir
2008-05-08 17:16:48 . 2008-05-08 17:16:50 4,608 ----a-w- C:\Qoobox\Quarantine\C\Thumbs.db.vir
2007-01-22 11:24:38 . 2004-01-10 04:37:14 1,324 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\d3d9caps.dat.vir
2006-08-23 20:36:49 . 2008-01-04 22:07:42 422 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicy\User\Scripts\scripts.ini.vir
2004-02-27 14:09:41 . 2002-08-29 10:41:28 4,608 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\ehome\snchk.exe.vir
2004-02-27 14:09:26 . 2008-04-14 00:12:25 58,368 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ehome\medctrro.exe.vir
2004-02-27 14:08:09 . 2002-08-29 10:41:26 69,663 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\Messenger\msmsgsin.exe.vir
2004-02-27 14:07:27 . 2002-08-29 07:37:30 245,760 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\MSN\MSNCoreFiles\logonmgr.dll.vir
2004-02-27 14:01:13 . 2002-08-29 07:37:22 24,576 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\MSN\MSNCoreFiles\custdial.dll.vir
2004-02-27 14:01:12 . 2002-08-29 07:37:22 77,824 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\MSN\MSNCoreFiles\copymar.exe.vir
2001-08-23 12:00:00 . 2004-07-17 18:40:53 9,050 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Help\Tours\htmlTour\unlock_playing.htm.vir

[SweetTech]

Can you do me a favor and zip up the following file and attach it for me?

C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicy\User\Scripts\scripts.ini.vir