Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

another _fake_windows_security_center

This is a discussion on another _fake_windows_security_center within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. another _fake_windows_security_center 1. visited the 'wrong' site without adequate protection * using Firefox legacy 3.6.23 * NoScript addon was not


 
 
Thread Tools Search this Thread
Old 01-07-2012, 02:59 AM   #1
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



another _fake_windows_security_center

1. visited the 'wrong' site without adequate protection
* using Firefox legacy 3.6.23
* NoScript addon was not installed
* Avast was recently uninstalled (thought there were conflicts)
2. quite foolish mistakes

the fake windows security center keeps repeating that an IP address is trying to access my computer
and that I have 25 infections
i close the window

i installed avast and it is blocked from starting

SpyBot Search and Destroy (previously active) found hupignon in svch.exe
during boot (wish i knew which variant of hupignon)

NEW INSTRUCTIONS post
read

i have a Windows Install disc

dds.txt per NEW INSTRUCTIONS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by user at 0:31:50 on 2012-01-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1277 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\OEM02Mon.exe
D:\WINDOWS\system32\WLTRAY.exe
D:\Program Files\AVAST Software\Avast\avastUI.exe
D:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
D:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Launchy\Launchy.exe
D:\Program Files\TouchFreeze\TouchFreeze.exe
D:\Program Files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Documents and Settings\user\Application Data\Dropbox\bin\Dropbox.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\calc.exe
D:\program files\internet explorer\IEXPLORE.EXE
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - d:\program files\avast software\avast\aswWebRepIE.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} -
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - d:\program files\avast software\avast\aswWebRepIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [DELL Webcam Manager] "d:\program files\dell\dell webcam manager\DellWMgr.exe" /s
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [TouchFreeze] d:\program files\touchfreeze\TouchFreeze.exe
uRun: [Google Update] "d:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Revo Uninstaller] "d:\program files\vs revo group\revo uninstaller\Revouninstaller.exe" -hunter
mRun: [Broadcom Wireless Manager UI] d:\windows\system32\WLTRAY.exe
mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [OEM02Mon.exe] d:\windows\OEM02Mon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [avast] "d:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: d:\docume~1\user\startm~1\programs\startup\dropbox.lnk - d:\documents and settings\user\application data\dropbox\bin\Dropbox.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - d:\program files\launchy\Launchy.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 64.68.244.250 64.68.248.10 64.68.252.10
TCP: Interfaces\{C7314B5E-E648-4220-B79B-7E9F7765932B} : DhcpNameServer = 64.68.244.250 64.68.248.10 64.68.252.10
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - d:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 avast! Antivirus;avast! Antivirus;d:\program files\avast software\avast\AvastSvc.exe [2011-12-29 44768]
S2 svohost.exe;svohost.exe;d:\windows\svchcst.exe [2011-12-18 644096]
S3 C88PvL;C88PvL;d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s --> d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s [?]
S3 cpuz134;cpuz134;\??\f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys --> f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys [?]
S3 FUG0Hf;FUG0Hf;d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s --> d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s [?]
S3 K3ipmu;K3ipmu;d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s --> d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-5-23 15232]
S3 OPqR9F;OPqR9F;d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s --> d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s [?]
.
=============== File Associations ===============
.
.exe=
.
=============== Created Last 30 ================
.
2011-12-30 04:45:20 72 ----a-w- d:\windows\DelSvel.bat
2011-12-30 04:31:02 -------- d-----w- d:\windows\pss
2011-12-29 20:17:53 -------- d-----w- d:\documents and settings\user\application data\.clamwin
2011-12-29 20:17:49 -------- d-----w- d:\program files\ClamWin
2011-12-29 20:17:49 -------- d-----w- d:\documents and settings\all users\.clamwin
2011-12-29 12:32:34 435032 ----a-w- d:\windows\system32\drivers\aswSnx.sys
2011-12-29 12:31:57 41184 ----a-w- d:\windows\avastSS.scr
2011-12-29 12:09:33 402432 ----a-w- d:\documents and settings\user\local settings\application data\uqt.exe
2011-12-18 08:39:40 644096 ------w- d:\windows\system32\_svchcst.exe
2011-12-18 08:39:38 644096 --sh--w- d:\windows\svchcst.exe
2011-12-18 08:39:38 644096 ---h--r- D:\svchcst.exe
2011-12-11 04:22:25 -------- d-----w- d:\documents and settings\user\application data\Dropbox
.
==================== Find3M ====================
.
2007-10-11 05:43:58 644096 --sh--w- d:\windows\svchcst.exe
.
============= FINISH: 0:32:16.21 ===============

**********looking at the log i see a lot of software to remove*************
very sloppy housekeeping
( none of the A/V Malware removal is active)

THANKS in advance - - - advice is appreciated - - - pup
(this is done from puppy linux on a netbook)
Attached Files
File Type: zip attach.zip (5.7 KB, 3 views)

__________________
puppylinux is offline  
Old 01-07-2012, 06:38 AM   #2
Security Team
Analyst
 
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 988
OS: Dual Boot Setup, Vista SP2 and XPSP3



Greetings puppylinux and Welcome to the Forums,

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

__________________
Disabled Veteran, U.S.C.G. 1972 - 1978

Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance

1972vet is offline  
Old 01-08-2012, 08:51 PM   #3
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



@1972vet much thanks quick response here I work offline when @ home - offgrid - mountain valley - no cell coverage - satellite net hook up is bs and expensive in $ and killowatts received your note last night @home attempted MS recovery console install from XP install CD CL recommended commands would only open the disc tried everything that i could think of Wonder What ?? much trepidation - ran ComboFix without the recovery console i thought it would take much longer to scan . . . . . was prepared to let it run while i snoozed also ran ComboFix online tonight . . . CF successfully installed the MS recovery console The two large pop up screens that imitated Windows Control Center did not pop up while I was using the computer previously they had quickly popped up after boot the taskbar ICON continues with occasional small notifications first log -> before recovery console install 2d log -> after install **************************************************************************************************** ComboFix 12-01-04.02 - user 01/07/2012 23:54:05.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1283 [GMT -8:00] Running from: d:\documents and settings\user\Desktop\ComboFix.exe . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\AutoRun.inf D:\AutoRun.inf d:\documents and settings\user\WINDOWS D:\Install.exe d:\windows\Downloaded Installations\BMP d:\windows\Downloaded Installations\BMP\{44C774BE-1389-4E84-B5DE-54D9FB4A2253}\1033.MST d:\windows\Downloaded Installations\BMP\{44C774BE-1389-4E84-B5DE-54D9FB4A2253}\BACS.msi d:\windows\isRS-000.tmp d:\windows\svchcst.exe . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_svohost.exe -------\Service_svohost.exe . . ((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 ))))))))))))))))))))))))))))))) . . 2012-01-08 07:18 . 2012-01-08 07:18 -------- d-----w- d:\documents and settings\user\Local Settings\Application Data\Help 2011-12-30 04:45 . 2011-12-30 05:26 72 ----a-w- d:\windows\DelSvel.bat 2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\documents and settings\user\Application Data\.clamwin 2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\program files\ClamWin 2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\documents and settings\All Users\.clamwin 2011-12-18 08:39 . 2007-10-11 05:43 644096 ------w- d:\windows\system32\_svchcst.exe 2011-12-18 08:39 . 2007-10-11 05:43 644096 ---h--r- D:\svchcst.exe 2011-12-11 04:22 . 2012-01-08 05:55 -------- d-----w- d:\documents and settings\user\Application Data\Dropbox . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-17 23:38 . 2011-08-17 23:38 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2011-02-02 02:17 1487240 ----a-w- d:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DELL Webcam Manager"="d:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784] "TouchFreeze"="d:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056] "Revo Uninstaller"="d:\program files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe" [2011-04-14 3147344] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2007-10-10 2183168] "StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440] "OEM02Mon.exe"="d:\windows\OEM02Mon.exe" [2007-05-10 36864] "SigmatelSysTrayApp"="d:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504] . d:\documents and settings\user\Start Menu\Programs\Startup\ Dropbox.lnk - d:\documents and settings\user\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056] . d:\documents and settings\All Users\Start Menu\Programs\Startup\ Launchy.lnk - d:\program files\Launchy\Launchy.exe [2010-7-15 380928] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= d:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "c:\\WINDOWS\\system32\\sessmgr.exe"= d:\\WINDOWS\\system32\\sessmgr.exe "d:\\Program Files\\tixati\\tixati.exe"= "d:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "d:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "113:TCP"= 113:TCP:library "1337:TCP"= 1337:TCP:PowerFolder . R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872] R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656] S3 C88PvL;C88PvL;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?] S3 cpuz134;cpuz134;\??\f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys --> f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys [?] S3 FUG0Hf;FUG0Hf;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?] S3 K3ipmu;K3ipmu;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?] S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [5/23/2011 9:32 PM 15232] S3 OPqR9F;OPqR9F;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2011-12-30 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001Core.job - d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20] . 2012-01-08 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001UA.job - d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20] . 2012-01-08 d:\windows\Tasks\Scheduled Update for Ask Toolbar.job - d:\program files\Ask.com\UpdateTask.exe [2010-10-11 23:12] . 2012-01-08 d:\windows\Tasks\User_Feed_Synchronization-{41FBD9B7-5D38-49B4-ADCB-D26E150C3F1F}.job - d:\windows\system32\msfeedssync.exe [2009-03-08 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://eeepc.asus.com/global uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 64.68.244.250 64.68.248.10 64.68.252.10 . - - - - ORPHANS REMOVED - - - - . WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file) ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file) AddRemove-DoubleKiller - d:\docume~1\user\LOCALS~1\Temp\Temporary Directory 1 for doublekiller.zip\DoubleKiller.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2012-01-07 23:59 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(888) d:\program files\SUPERAntiSpyware\SASWINLO.DLL d:\windows\system32\Ati2evxx.dll d:\windows\System32\BCMLogon.dll . - - - - - - - > 'explorer.exe'(3520) d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll d:\windows\system32\ieframe.dll d:\windows\system32\OneX.DLL d:\windows\system32\eappprxy.dll d:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . d:\windows\system32\Ati2evxx.exe d:\windows\System32\WLTRYSVC.EXE d:\windows\system32\Ati2evxx.exe d:\windows\System32\bcmwltry.exe d:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe d:\program files\Java\jre6\bin\jqs.exe d:\windows\system32\wscntfy.exe d:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe d:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Completion time: 2012-01-08 00:02:00 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-08 08:01 . Pre-Run: 3,960,647,680 bytes free Post-Run: 5,043,109,888 bytes free . - - End Of File - - 71A2F9604961EB90C0B192F4E5C7DD84 ************************************************************************** ************************************************************************** ************************************************************************** ************************************************************************** ************************************************************************** ComboFix 12-01-07.03 - user 01/08/2012 15:23:56.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1446 [GMT -8:00] Running from: d:\documents and settings\user\Desktop\ComboFix.exe . . ((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 ))))))))))))))))))))))))))))))) . . 2012-01-08 07:18 . 2012-01-08 07:18 -------- d-----w- d:\documents and settings\user\Local Settings\Application Data\Help 2011-12-30 04:45 . 2011-12-30 05:26 72 ----a-w- d:\windows\DelSvel.bat 2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\documents and settings\user\Application Data\.clamwin 2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\program files\ClamWin 2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\documents and settings\All Users\.clamwin 2011-12-18 08:39 . 2007-10-11 05:43 644096 ------w- d:\windows\system32\_svchcst.exe 2011-12-18 08:39 . 2007-10-11 05:43 644096 ---h--r- D:\svchcst.exe 2011-12-11 04:22 . 2012-01-08 22:52 -------- d-----w- d:\documents and settings\user\Application Data\Dropbox . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-17 23:38 . 2011-08-17 23:38 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-01-08_07.59.22 ))))))))))))))))))))))))))))))))))))))))) . + 2012-01-08 22:52 . 2012-01-08 22:52 16384 d:\windows\Temp\Perflib_Perfdata_674.dat + 2008-04-14 12:00 . 2012-01-08 22:56 84516 d:\windows\system32\perfc009.dat - 2008-04-14 12:00 . 2012-01-08 05:59 84516 d:\windows\system32\perfc009.dat + 2008-04-14 12:00 . 2012-01-08 22:56 491196 d:\windows\system32\perfh009.dat - 2008-04-14 12:00 . 2012-01-08 05:59 491196 d:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2011-02-02 02:17 1487240 ----a-w- d:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DELL Webcam Manager"="d:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784] "TouchFreeze"="d:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056] "Revo Uninstaller"="d:\program files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe" [2011-04-14 3147344] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2007-10-10 2183168] "StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440] "OEM02Mon.exe"="d:\windows\OEM02Mon.exe" [2007-05-10 36864] "SigmatelSysTrayApp"="d:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504] . d:\documents and settings\user\Start Menu\Programs\Startup\ Dropbox.lnk - d:\documents and settings\user\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056] . d:\documents and settings\All Users\Start Menu\Programs\Startup\ Launchy.lnk - d:\program files\Launchy\Launchy.exe [2010-7-15 380928] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= d:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "c:\\WINDOWS\\system32\\sessmgr.exe"= d:\\WINDOWS\\system32\\sessmgr.exe "d:\\Program Files\\tixati\\tixati.exe"= "d:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "d:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "113:TCP"= 113:TCP:library "1337:TCP"= 1337:TCP:PowerFolder . R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872] R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656] S3 C88PvL;C88PvL;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?] S3 cpuz134;cpuz134;\??\f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys --> f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys [?] S3 FUG0Hf;FUG0Hf;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?] S3 K3ipmu;K3ipmu;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?] S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [5/23/2011 9:32 PM 15232] S3 OPqR9F;OPqR9F;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?] . Contents of the 'Scheduled Tasks' folder . 2011-12-30 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001Core.job - d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20] . 2012-01-08 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001UA.job - d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20] . 2012-01-08 d:\windows\Tasks\Scheduled Update for Ask Toolbar.job - d:\program files\Ask.com\UpdateTask.exe [2010-10-11 23:12] . 2012-01-08 d:\windows\Tasks\User_Feed_Synchronization-{41FBD9B7-5D38-49B4-ADCB-D26E150C3F1F}.job - d:\windows\system32\msfeedssync.exe [2009-03-08 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://eeepc.asus.com/global uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 64.68.244.250 8.8.8.8 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2012-01-08 15:33 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(888) d:\program files\SUPERAntiSpyware\SASWINLO.DLL d:\windows\system32\Ati2evxx.dll d:\windows\System32\BCMLogon.dll . - - - - - - - > 'explorer.exe'(780) d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll d:\windows\system32\ieframe.dll d:\windows\system32\OneX.DLL d:\windows\system32\eappprxy.dll d:\windows\system32\webcheck.dll . Completion time: 2012-01-08 15:35:45 ComboFix-quarantined-files.txt 2012-01-08 23:35 ComboFix2.txt 2012-01-08 08:02 . Pre-Run: 5,035,446,272 bytes free Post-Run: 5,023,281,152 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 0A20E81B3CF66E57357946A76BA9DB51 THANKS in advance . . . . . . . . . pup ?what would CF have updated?
__________________
puppylinux is offline  
Old 01-08-2012, 08:56 PM   #4
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



Sorry about the lack of formatting in the post above. (It got blown when the missive was cut N pasted. Thanks! pup
__________________
puppylinux is offline  
Old 01-09-2012, 06:17 AM   #5
Security Team
Analyst
 
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 988
OS: Dual Boot Setup, Vista SP2 and XPSP3



"...what would CF have updated?"
You didn't mention this...you just asked the question. Did cf request you to update?
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978

Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance

1972vet is offline  
Old 01-09-2012, 03:27 PM   #6
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



Re: "...what would CF have updated?" Sorry.......... CF asked for permission to check for a newer CF version when I ran it online. I do not think that it found a newer version......... Apologies for the fuzzy - unclear posting. I can only imagine that happens all too often. Thanks, pup
__________________
puppylinux is offline  
Old 01-09-2012, 03:41 PM   #7
Security Team
Analyst
 
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 988
OS: Dual Boot Setup, Vista SP2 and XPSP3



OK, combofix would have asked to update if it found the version you used was out of date.

Please try posting the log(s) again. I could try reconstructing what's there so I can make sense out of it but it would take hours.
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978

Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance

1972vet is offline  
Old 01-09-2012, 04:14 PM   #8
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



RE: "Please try posting the log(s) again. "
Reposting logs
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by user at 0:31:50 on 2012-01-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1277 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\OEM02Mon.exe
D:\WINDOWS\system32\WLTRAY.exe
D:\Program Files\AVAST Software\Avast\avastUI.exe
D:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
D:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Launchy\Launchy.exe
D:\Program Files\TouchFreeze\TouchFreeze.exe
D:\Program Files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Documents and Settings\user\Application Data\Dropbox\bin\Dropbox.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\calc.exe
D:\program files\internet explorer\IEXPLORE.EXE
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - d:\program files\avast software\avast\aswWebRepIE.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} -
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - d:\program files\avast software\avast\aswWebRepIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [DELL Webcam Manager] "d:\program files\dell\dell webcam manager\DellWMgr.exe" /s
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [TouchFreeze] d:\program files\touchfreeze\TouchFreeze.exe
uRun: [Google Update] "d:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Revo Uninstaller] "d:\program files\vs revo group\revo uninstaller\Revouninstaller.exe" -hunter
mRun: [Broadcom Wireless Manager UI] d:\windows\system32\WLTRAY.exe
mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [OEM02Mon.exe] d:\windows\OEM02Mon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [avast] "d:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: d:\docume~1\user\startm~1\programs\startup\dropbox.lnk - d:\documents and settings\user\application data\dropbox\bin\Dropbox.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - d:\program files\launchy\Launchy.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 64.68.244.250 64.68.248.10 64.68.252.10
TCP: Interfaces\{C7314B5E-E648-4220-B79B-7E9F7765932B} : DhcpNameServer = 64.68.244.250 64.68.248.10 64.68.252.10
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - d:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 avast! Antivirus;avast! Antivirus;d:\program files\avast software\avast\AvastSvc.exe [2011-12-29 44768]
S2 svohost.exe;svohost.exe;d:\windows\svchcst.exe [2011-12-18 644096]
S3 C88PvL;C88PvL;d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s --> d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s [?]
S3 cpuz134;cpuz134;\??\f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys --> f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys [?]
S3 FUG0Hf;FUG0Hf;d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s --> d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s [?]
S3 K3ipmu;K3ipmu;d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s --> d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-5-23 15232]
S3 OPqR9F;OPqR9F;d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s --> d:\program files\cpuid\pc wizard 2010\data\pcwizntl.exe -s [?]
.
=============== File Associations ===============
.
.exe=
.
=============== Created Last 30 ================
.
2011-12-30 04:45:20 72 ----a-w- d:\windows\DelSvel.bat
2011-12-30 04:31:02 -------- d-----w- d:\windows\pss
2011-12-29 20:17:53 -------- d-----w- d:\documents and settings\user\application data\.clamwin
2011-12-29 20:17:49 -------- d-----w- d:\program files\ClamWin
2011-12-29 20:17:49 -------- d-----w- d:\documents and settings\all users\.clamwin
2011-12-29 12:32:34 435032 ----a-w- d:\windows\system32\drivers\aswSnx.sys
2011-12-29 12:31:57 41184 ----a-w- d:\windows\avastSS.scr
2011-12-29 12:09:33 402432 ----a-w- d:\documents and settings\user\local settings\application data\uqt.exe
2011-12-18 08:39:40 644096 ------w- d:\windows\system32\_svchcst.exe
2011-12-18 08:39:38 644096 --sh--w- d:\windows\svchcst.exe
2011-12-18 08:39:38 644096 ---h--r- D:\svchcst.exe
2011-12-11 04:22:25 -------- d-----w- d:\documents and settings\user\application data\Dropbox
.
==================== Find3M ====================
.
2007-10-11 05:43:58 644096 --sh--w- d:\windows\svchcst.exe
.
============= FINISH: 0:32:16.21 ===============
_________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ First CF log without recovery console - offline ComboFix 12-01-04.02 - user 01/07/2012 23:54:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1283 [GMT -8:00]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\AutoRun.inf
D:\AutoRun.inf
d:\documents and settings\user\WINDOWS
D:\Install.exe
d:\windows\Downloaded Installations\BMP
d:\windows\Downloaded Installations\BMP\{44C774BE-1389-4E84-B5DE-54D9FB4A2253}\1033.MST
d:\windows\Downloaded Installations\BMP\{44C774BE-1389-4E84-B5DE-54D9FB4A2253}\BACS.msi
d:\windows\isRS-000.tmp
d:\windows\svchcst.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_svohost.exe
-------\Service_svohost.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 )))))))))))))))))))))))))))))))
.
.
2012-01-08 07:18 . 2012-01-08 07:18 -------- d-----w- d:\documents and settings\user\Local Settings\Application Data\Help
2011-12-30 04:45 . 2011-12-30 05:26 72 ----a-w- d:\windows\DelSvel.bat
2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\documents and settings\user\Application Data\.clamwin
2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\program files\ClamWin
2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\documents and settings\All Users\.clamwin
2011-12-18 08:39 . 2007-10-11 05:43 644096 ------w- d:\windows\system32\_svchcst.exe
2011-12-18 08:39 . 2007-10-11 05:43 644096 ---h--r- D:\svchcst.exe
2011-12-11 04:22 . 2012-01-08 05:55 -------- d-----w- d:\documents and settings\user\Application Data\Dropbox
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 23:38 . 2011-08-17 23:38 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 02:17 1487240 ----a-w- d:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="d:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"TouchFreeze"="d:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
"Revo Uninstaller"="d:\program files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe" [2011-04-14 3147344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"OEM02Mon.exe"="d:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SigmatelSysTrayApp"="d:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
d:\documents and settings\user\Start Menu\Programs\Startup\
Dropbox.lnk - d:\documents and settings\user\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - d:\program files\Launchy\Launchy.exe [2010-7-15 380928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= d:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
"c:\\WINDOWS\\system32\\sessmgr.exe"= d:\\WINDOWS\\system32\\sessmgr.exe
"d:\\Program Files\\tixati\\tixati.exe"=
"d:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"d:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:library
"1337:TCP"= 1337:TCP:PowerFolder
.
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
S3 C88PvL;C88PvL;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 cpuz134;cpuz134;\??\f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys --> f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys [?]
S3 FUG0Hf;FUG0Hf;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 K3ipmu;K3ipmu;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [5/23/2011 9:32 PM 15232]
S3 OPqR9F;OPqR9F;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-30 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001Core.job
- d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20]
.
2012-01-08 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001UA.job
- d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20]
.
2012-01-08 d:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- d:\program files\Ask.com\UpdateTask.exe [2010-10-11 23:12]
.
2012-01-08 d:\windows\Tasks\User_Feed_Synchronization-{41FBD9B7-5D38-49B4-ADCB-D26E150C3F1F}.job
- d:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 64.68.244.250 64.68.248.10 64.68.252.10
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-DoubleKiller - d:\docume~1\user\LOCALS~1\Temp\Temporary Directory 1 for doublekiller.zip\DoubleKiller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-01-07 23:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
d:\program files\SUPERAntiSpyware\SASWINLO.DLL
d:\windows\system32\Ati2evxx.dll
d:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3520)
d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\Ati2evxx.exe
d:\windows\System32\WLTRYSVC.EXE
d:\windows\system32\Ati2evxx.exe
d:\windows\System32\bcmwltry.exe
d:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\wscntfy.exe
d:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
d:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2012-01-08 00:02:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-08 08:01
.
Pre-Run: 3,960,647,680 bytes free
Post-Run: 5,043,109,888 bytes free
.
- - End Of File - - 71A2F9604961EB90C0B192F4E5C7DD84
_________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ Second CF log ONLINE with recovery console installed
ComboFix 12-01-07.03 - user 01/08/2012 15:23:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1446 [GMT -8:00]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 )))))))))))))))))))))))))))))))
.
.
2012-01-08 07:18 . 2012-01-08 07:18 -------- d-----w- d:\documents and settings\user\Local Settings\Application Data\Help
2011-12-30 04:45 . 2011-12-30 05:26 72 ----a-w- d:\windows\DelSvel.bat
2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\documents and settings\user\Application Data\.clamwin
2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\program files\ClamWin
2011-12-29 20:17 . 2011-12-29 20:17 -------- d-----w- d:\documents and settings\All Users\.clamwin
2011-12-18 08:39 . 2007-10-11 05:43 644096 ------w- d:\windows\system32\_svchcst.exe
2011-12-18 08:39 . 2007-10-11 05:43 644096 ---h--r- D:\svchcst.exe
2011-12-11 04:22 . 2012-01-08 22:52 -------- d-----w- d:\documents and settings\user\Application Data\Dropbox
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 23:38 . 2011-08-17 23:38 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-08_07.59.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-08 22:52 . 2012-01-08 22:52 16384 d:\windows\Temp\Perflib_Perfdata_674.dat
+ 2008-04-14 12:00 . 2012-01-08 22:56 84516 d:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2012-01-08 05:59 84516 d:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-01-08 22:56 491196 d:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2012-01-08 05:59 491196 d:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 02:17 1487240 ----a-w- d:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="d:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"TouchFreeze"="d:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
"Revo Uninstaller"="d:\program files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe" [2011-04-14 3147344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"OEM02Mon.exe"="d:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SigmatelSysTrayApp"="d:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
d:\documents and settings\user\Start Menu\Programs\Startup\
Dropbox.lnk - d:\documents and settings\user\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - d:\program files\Launchy\Launchy.exe [2010-7-15 380928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= d:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
"c:\\WINDOWS\\system32\\sessmgr.exe"= d:\\WINDOWS\\system32\\sessmgr.exe
"d:\\Program Files\\tixati\\tixati.exe"=
"d:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"d:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:library
"1337:TCP"= 1337:TCP:PowerFolder
.
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
S3 C88PvL;C88PvL;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 cpuz134;cpuz134;\??\f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys --> f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys [?]
S3 FUG0Hf;FUG0Hf;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 K3ipmu;K3ipmu;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [5/23/2011 9:32 PM 15232]
S3 OPqR9F;OPqR9F;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-30 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001Core.job
- d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20]
.
2012-01-08 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001UA.job
- d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20]
.
2012-01-08 d:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- d:\program files\Ask.com\UpdateTask.exe [2010-10-11 23:12]
.
2012-01-08 d:\windows\Tasks\User_Feed_Synchronization-{41FBD9B7-5D38-49B4-ADCB-D26E150C3F1F}.job
- d:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 64.68.244.250 8.8.8.8
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-01-08 15:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
d:\program files\SUPERAntiSpyware\SASWINLO.DLL
d:\windows\system32\Ati2evxx.dll
d:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(780)
d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\webcheck.dll
.
Completion time: 2012-01-08 15:35:45
ComboFix-quarantined-files.txt 2012-01-08 23:35
ComboFix2.txt 2012-01-08 08:02
.
Pre-Run: 5,035,446,272 bytes free
Post-Run: 5,023,281,152 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0A20E81B3CF66E57357946A76BA9DB51
_________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ Thank you 1972vet pup
__________________
puppylinux is offline  
Old 01-09-2012, 04:25 PM   #9
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



the zipped log

attach.zip (5.7 KB, 0 views)

(from the first post)
__________________
puppylinux is offline  
Old 01-09-2012, 05:37 PM   #10
Security Team
Analyst
 
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 988
OS: Dual Boot Setup, Vista SP2 and XPSP3



Please uninstall these:
Ad-aware
Clamwin
Fireshot and Ask toolbars
...and all instances of installed Java


We'll concern ourselves with the latest version of Java when the system is clean.

Next, please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

driver::
svohost.exe

dirlook::
d:\windows\pss

rootkit::
d:\windows\svchcst.exe
d:\windows\DelSvel.bat
d:\documents and settings\user\local settings\application data\uqt.exe
d:\windows\system32\_svchcst.exe
D:\svchcst.exe

dds::
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} -
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} -
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} -
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} -

folder::
d:\Program Files\tixati
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978

Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance

1972vet is offline  
Old 01-09-2012, 06:48 PM   #11
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



Thanks 1972vet!

Combofix-3M log -

ComboFix 12-01-07.03 - user 01/09/2012 18:30:57.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1343 [GMT -8:00]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\user\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\program files\tixati
d:\program files\tixati\errorreporter.exe
d:\program files\tixati\license.txt
d:\program files\tixati\tixati.exe
d:\program files\tixati\uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-10 to 2012-01-10 )))))))))))))))))))))))))))))))
.
.
2012-01-08 07:18 . 2012-01-08 07:18 -------- d-----w- d:\documents and settings\user\Local Settings\Application Data\Help
2011-12-11 04:22 . 2012-01-10 02:38 -------- d-----w- d:\documents and settings\user\Application Data\Dropbox
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 23:38 . 2011-08-17 23:38 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of d:\windows\pss ----
.
2011-12-30 04:32 . 2010-06-04 06:10 211 ------w- d:\windows\pss\boot.ini.backup
2011-12-30 04:31 . 2010-06-04 06:17 477 ------w- d:\windows\pss\win.ini.backup
2011-12-30 04:31 . 2010-06-03 23:06 231 ------w- d:\windows\pss\system.ini.backup
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-08_07.59.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 12:00 . 2012-01-08 05:59 84516 d:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-01-10 02:02 84516 d:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-01-10 02:02 491196 d:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2012-01-08 05:59 491196 d:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="d:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"TouchFreeze"="d:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
"Revo Uninstaller"="d:\program files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe" [2011-04-14 3147344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"OEM02Mon.exe"="d:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SigmatelSysTrayApp"="d:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
d:\documents and settings\user\Start Menu\Programs\Startup\
Dropbox.lnk - d:\documents and settings\user\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - d:\program files\Launchy\Launchy.exe [2010-7-15 380928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= d:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
"c:\\WINDOWS\\system32\\sessmgr.exe"= d:\\WINDOWS\\system32\\sessmgr.exe
"d:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"d:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:library
"1337:TCP"= 1337:TCP:PowerFolder
.
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
S3 C88PvL;C88PvL;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 cpuz134;cpuz134;\??\f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys --> f:\1filesnotxubuntu\zforacersetup\pc-wizard_2010.1.961\pcwiz_x32.sys [?]
S3 FUG0Hf;FUG0Hf;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 K3ipmu;K3ipmu;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [5/23/2011 9:32 PM 15232]
S3 OPqR9F;OPqR9F;d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s --> d:\program files\CPUID\PC Wizard 2010\Data\pcwizntl.exe -s [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-30 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001Core.job
- d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20]
.
2012-01-10 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001UA.job
- d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20]
.
2012-01-09 d:\windows\Tasks\User_Feed_Synchronization-{41FBD9B7-5D38-49B4-ADCB-D26E150C3F1F}.job
- d:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 64.68.244.250 8.8.8.8
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-tixati - d:\program files\tixati\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-01-09 18:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
d:\program files\SUPERAntiSpyware\SASWINLO.DLL
d:\windows\system32\Ati2evxx.dll
d:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2780)
d:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\Ati2evxx.exe
d:\windows\system32\Ati2evxx.exe
d:\windows\System32\WLTRYSVC.EXE
d:\windows\System32\bcmwltry.exe
d:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
d:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
d:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-09 18:39:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-10 02:39
ComboFix2.txt 2012-01-08 23:35
ComboFix3.txt 2012-01-08 08:02
.
Pre-Run: 4,956,110,848 bytes free
Post-Run: 4,936,118,272 bytes free
.
- - End Of File - - A341E041D54A44EB1BC9D6F4AE71291F

_______________________________________________________
excellent instructs and nice fast program

Thanks Again
pup
__________________
puppylinux is offline  
Old 01-10-2012, 12:51 AM   #12
Security Team
Analyst
 
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 988
OS: Dual Boot Setup, Vista SP2 and XPSP3



Did you remember to uninstall ad-aware? Please tell me, how is the system performing for you now?
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978

Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance

1972vet is offline  
Old 01-10-2012, 08:23 PM   #13
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



Re: another _fake_windows_security_center
"Did you remember to uninstall ad-aware? Please tell me, how is the system performing for you now?"

First Thank You Very Much!
I have been super careful about mal-transmission.
Using my netbook with puppylinux for all.
Will start using this laptop and report back.
The Windows Security Alerts had been eliminated and is now in the taskbar.
I had updates and notifications turned off -
was using Avast and Comodo Firewall among others.
I obviously pay the attention!
Everything seems 'normal'
?What next - reinstall Avast and Firewall?
__________________
puppylinux is offline  
Old 01-10-2012, 11:00 PM   #14
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



oops, "did you remember to uninstall ad-aware" un answered I did remembered to uninstall ad-aware. I will try to install Avast - as I do not want to surf naked - only have NoScript add on for protection right now. (Thinking that I can always uninstall Avast later if important.) Thank You pup
__________________
puppylinux is offline  
Old 01-10-2012, 11:50 PM   #15
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



Ad-Aware NOW uninstalled----really
removed_tuesday01102012

2011-12-30 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001Core.job
- d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20]
.
2012-01-08 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1637723038-963894560-1001UA.job
- d:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:20]

What happens if I remove

2012-01-08 d:\windows\Tasks\User_Feed_Synchronization-{41FBD9B7-5D38-49B4-ADCB-D26E150C3F1F}.job
- d:\windows\system32\msfeedssync.exe [2009-03-08 11:31]

I missed Ad-Aware
(I have been too short on sleep and used Revo uninstaller which has listed all installed software in the past)
On reread the logs and posts saw............................................................
S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [5/23/2011 9:32 PM 15232]
NOW REMOVED
(I deleted the folder in d:\program files)

Sorry for the poor writing
I meant to say. "Obviously not paying enough attention." in the last post. geez

Will soon get a few hours sleep.

Anyway Thank You
pup
__________________
puppylinux is offline  
Old 01-11-2012, 02:14 PM   #16
Security Team
Analyst
 
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 988
OS: Dual Boot Setup, Vista SP2 and XPSP3



You can now deleted DDS and associated logs. Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

I'd like to see you reinstall Avast now, run a manual update, then perform a complete system scan. Allow the software to quarantine whatever it complains of. Post back the results. Thanks!
__________________
Disabled Veteran, U.S.C.G. 1972 - 1978

Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance

1972vet is offline  
Old 01-13-2012, 01:09 AM   #17
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



uninstall CF run avast! boot scan ran avast! - - w/o uninstalling CF read the quarantined list #!*&etc 'restored CF' tried to uninstall (ComboFix /Uninstall) pop up message Windows Cannot Find found 5 ComboFix files - Windows Search Function the CF .exe on the desktop Combofix.txt @ D:\ 3 .txt files @ D:\Qoobox asw_Boot.txt 01/12/2012 19:22 Scan of all local drives File C:\System Volume Information\_restore{69F4D931-E3A7-4F7E-ADA3-AB8FD570592B}\RP278\A0074112.exe is infected by Win32:Hupigon-OMA [Trj], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\16\58d00b10-3e4115f1 is infected by Win32:MalOb-IS [Cryp], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\20\798374d4-512dfd17|>morale.class is infected by Java:CVE-2011-3544-M [Expl], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\adidas.class is infected by Java:Agent-ACJ [Expl], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\hoplan.class is infected by Java:Agent-AFG [Expl], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\sdjire.class is infected by Java:Agent-ACI [Expl], Moved to chest File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\sniffpass.zip|>SniffPass.exe is infected by Win32:PSWtool-X [PUP], Moved to chest File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\sniffpass_setup.exe|>$INSTDIR\SniffPass.exe is infected by Win32:PSWtool-X [PUP], Moved to chest File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\wirelessnetview.zip|>WirelessNetView.exe is infected by Win32:PSWtool-AP [PUP], Moved to chest File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\wirelessnetview_setup.exe|>$INSTDIR\WirelessNetView.exe is infected by Win32:PSWtool-AP [PUP], Moved to chest File D:\Documents and Settings\user\Desktop\ComboFix.exe|>$0\pev.3XE|>[PECompact] is infected by Win32:Rootkit-gen [Rtk], Moved to chest File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard4.bau|>+BCEEHQQUBB8-\atevent.xml Error 42125 {ZIP archive is corrupted.} File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard4.bau|>+BCEEFA-\atevent.xml Error 42125 {ZIP archive is corrupted.} File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template4.bau|>+BBcEEQ-1+BCE-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.} File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template4.bau|>+BBcEEQQU-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.} File D:\Documents and Settings\user\My Documents\1-growing\water\the_well\SoftonicDownloader_for_atube-catcher.exe is infected by Win32:Softonic-E [PUP], Moved to chest File D:\Documents and Settings\user\My Documents\hardware\2DELL-analysis\PCLOS-MAG-_-snips-_-howto\1shorts\3-install_software\file_mnage_utilities_SECURITY\Lupo_PenSuite_v6.76_Full.zip|>Lupo PenSuite v6.76 Full\Apps\Pidgin Plus\App\Pidgin\nss3.dll is infected by Win32:Malware-gen did not upload the files to avast! ?should i have? am goin home soup n sleep run down congested n flu ey for a few days Thanks Again Vet - appreciated pup
__________________
puppylinux is offline  
Old 01-13-2012, 01:21 AM   #18
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



uninstall CF run avast! boot scan ran avast! - - w/o uninstalling CF read the quarantined list #!*&etc 'restored CF' tried to uninstall (ComboFix /Uninstall) pop up message Windows Cannot Find found 5 ComboFix files - Windows Search Function the CF .exe on the desktop Combofix.txt @ D:\ 3 .txt files @ D:\Qoobox aswBoot.txt 01/12/2012 19:22 Scan of all local drives File C:\System Volume Information\_restore{69F4D931-E3A7-4F7E-ADA3-AB8FD570592B}\RP278\A0074112.exe is infected by Win32:Hupigon-OMA [Trj], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\16\58d00b10-3e4115f1 is infected by Win32:MalOb-IS [Cryp], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\20\798374d4-512dfd17|>morale.class is infected by Java:CVE-2011-3544-M [Expl], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\adidas.class is infected by Java:Agent-ACJ [Expl], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\hoplan.class is infected by Java:Agent-AFG [Expl], Moved to chest File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\sdjire.class is infected by Java:Agent-ACI [Expl], Moved to chest File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\sniffpass.zip|>SniffPass.exe is infected by Win32:PSWtool-X [PUP], Moved to chest File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\sniffpass_setup.exe|>$INSTDIR\SniffPass.exe is infected by Win32:PSWtool-X [PUP], Moved to chest File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\wirelessnetview.zip|>WirelessNetView.exe is infected by Win32:PSWtool-AP [PUP], Moved to chest File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\wirelessnetview_setup.exe|>$INSTDIR\WirelessNetView.exe is infected by Win32:PSWtool-AP [PUP], Moved to chest File D:\Documents and Settings\user\Desktop\ComboFix.exe|>$0\pev.3XE|>[PECompact] is infected by Win32:Rootkit-gen [Rtk], Moved to chest File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard4.bau|>+BCEEHQQUBB8-\atevent.xml Error 42125 {ZIP archive is corrupted.} File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard4.bau|>+BCEEFA-\atevent.xml Error 42125 {ZIP archive is corrupted.} File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template4.bau|>+BBcEEQ-1+BCE-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.} File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template4.bau|>+BBcEEQQU-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.} File D:\Documents and Settings\user\My Documents\1-growing\water\the_well\SoftonicDownloader_for_atube-catcher.exe is infected by Win32:Softonic-E [PUP], Moved to chest File D:\Documents and Settings\user\My Documents\hardware\2DELL-analysis\PCLOS-MAG-_-snips-_-howto\1shorts\3-install_software\file_mnage_utilities_SECURITY\Lupo_PenSuite_v6.76_Full.zip|>Lupo PenSuite v6.76 Full\Apps\Pidgin Plus\App\Pidgin\nss3.dll is infected by Win32:Malware-gen did not upload the files to avast! ?should i have? am goin home soup n sleep run down congested n flu ey for a few days Thanks Again Vet - much appreciated manana will be better pup I NOW Know why the formatting blows------------ the forum software does it if you have the Reply Window open too long
__________________
puppylinux is offline  
Old 01-13-2012, 01:25 AM   #19
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: XP Pro SP3, PuppyLinux



uninstall CF
run avast!
boot scan ran avast! - - w/o uninstalling CF
read the quarantined list
#!*&etc 'restored CF'
tried to uninstall (ComboFix /Uninstall)
pop up message Windows Cannot Find
found 5 ComboFix files - Windows Search Function
the CF .exe on the desktop
Combofix.txt @ D:\
3 .txt files @ D:\Qoobox


aswBoot.txt

01/12/2012 19:22
Scan of all local drives

File C:\System Volume Information\_restore{69F4D931-E3A7-4F7E-ADA3-AB8FD570592B}\RP278\A0074112.exe is infected by Win32:Hupigon-OMA [Trj], Moved to chest
File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\16\58d00b10-3e4115f1 is infected by Win32:MalOb-IS [Cryp], Moved to chest
File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\20\798374d4-512dfd17|>morale.class is infected by Java:CVE-2011-3544-M [Expl], Moved to chest
File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\adidas.class is infected by Java:Agent-ACJ [Expl], Moved to chest
File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\hoplan.class is infected by Java:Agent-AFG [Expl], Moved to chest
File D:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\28\5a9c60dc-7e7d032f|>apache\sdjire.class is infected by Java:Agent-ACI [Expl], Moved to chest
File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\sniffpass.zip|>SniffPass.exe is infected by Win32:PSWtool-X [PUP], Moved to chest
File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\sniffpass_setup.exe|>$INSTDIR\SniffPass.exe is infected by Win32:PSWtool-X [PUP], Moved to chest
File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\wirelessnetview.zip|>WirelessNetView.exe is infected by Win32:PSWtool-AP [PUP], Moved to chest
File D:\Documents and Settings\user\Desktop\1filesnotxubuntu\zforacersetup\NirSoft\nirsoftnetworkutils\wirelessnetview_setup.exe|>$INSTDIR\WirelessNetView.exe is infected by Win32:PSWtool-AP [PUP], Moved to chest
File D:\Documents and Settings\user\Desktop\ComboFix.exe|>$0\pev.3XE|>[PECompact] is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard4.bau|>+BCEEHQQUBB8-\atevent.xml Error 42125 {ZIP archive is corrupted.}
File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard4.bau|>+BCEEFA-\atevent.xml Error 42125 {ZIP archive is corrupted.}
File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template4.bau|>+BBcEEQ-1+BCE-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.}
File D:\Documents and Settings\user\My Documents\1-growing\1_b_alquacult\water-_-spirulina_-_tilapia\clarifiers\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template4.bau|>+BBcEEQQU-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.}
File D:\Documents and Settings\user\My Documents\1-growing\water\the_well\SoftonicDownloader_for_atube-catcher.exe is infected by Win32:Softonic-E [PUP], Moved to chest
File D:\Documents and Settings\user\My Documents\hardware\2DELL-analysis\PCLOS-MAG-_-snips-_-howto\1shorts\3-install_software\file_mnage_utilities_SECURITY\Lupo_PenSuite_v6.76_Full.zip|>Lupo PenSuite v6.76 Full\Apps\Pidgin Plus\App\Pidgin\nss3.dll is infected by Win32:Malware-gen



did not upload the files to avast!
?should i have?
am goin home soup n sleep run down congested n flu ey for a few days
Thanks Again Vet - much appreciated
__________________
puppylinux is offline  
Old 01-13-2012, 05:26 AM   #20
Security Team
Analyst
 
Join Date: Jun 2008
Location: Midwest, U.S.A.
Posts: 988
OS: Dual Boot Setup, Vista SP2 and XPSP3



No need to upload them, we know they're infected. Were you unable to uninstall combofix using the command?

__________________
Disabled Veteran, U.S.C.G. 1972 - 1978

Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance

1972vet is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 08:07 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts