Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

Virus - Google search results lead to wrong links; pop up windows

This is a discussion on Virus - Google search results lead to wrong links; pop up windows within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hi, so far what I have noticed with my system is that when I am doing a google search, when


 
 
Thread Tools Search this Thread
Old 06-13-2010, 01:02 PM   #1
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



Hi,

so far what I have noticed with my system is that when I am doing a google search, when I click a link in a search I get directed to other pages. Often I get pop up windows in places where I shouldn't.

This isn't actually the first time I have had this virus... My computer recently tanked on me and so I used an old boot disk I had to bring it back. Anyways, I think this virus was likely on that boot disk.

Any help would be fantastic.

Cheers.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Nathan Smith at 1357.52 on 13/06/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.506 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nathan Smith.NATHAN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=presario&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [fuqhdciayl] c:\documents and settings\nathan smith.nathan\local settings\application data\uxyjvvs\fvaammm.exe
uRun: [rslhudiav] c:\documents and settings\nathan smith.nathan\local settings\application data\mwackolbe\mqefiew.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [fuqhdciayl] c:\documents and settings\nathan smith.nathan\local settings\application data\uxyjvvs\fvaammm.exe
mRun: [rslhudiav] c:\documents and settings\nathan smith.nathan\local settings\application data\mwackolbe\mqefiew.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\freewe~1.lnk - c:\program files\coffeecup software\coffeecup free ftp\ThirtyDayTimer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]

=============== Created Last 30 ================

2010-05-23 21:39:29 34 ----a-w- c:\windows\system32\BD7220.DAT
2010-05-23 21:38:07 53248 ----a-w- c:\windows\system32\drivers\BrSerIf.sys
2010-05-23 21:38:07 37888 ----a-w- c:\windows\system32\BrUSi04b.dll
2010-05-23 21:38:07 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2010-05-23 21:38:07 120832 ----a-w- c:\windows\system32\BrWia04b.dll
2010-05-23 21:38:07 11904 ----a-w- c:\windows\system32\drivers\BrUsbSer.sys
2010-05-23 21:32:54 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-05-23 21:32:54 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-05-23 21:32:49 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-05-23 21:32:49 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-05-18 02:41:31 0 d-----w- c:\docume~1\nathan~1.nat\applic~1\Facebook
2010-05-15 19:41:53 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-05-15 17:28:34 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-15 17:28:34 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-15 17:26:46 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-15 16:43:25 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys

==================== Find3M ====================

2010-05-12 06:23:31 1673 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_Presario V2000 (ET944UA#ABL)_YN_0Pres_QCNF620044K_E410214DB2_46_I3093_SQuanta_V47.0E_BF.25_T060403_WXH2_L409_M895_J100_7AMD_8Turion 64 Technology ML-34_91.79_#060425_N10EC8139_(ET944UA#ABL)_XMOBILE.MRK
2010-05-12 02:07:34 90112 ----a-w- c:\windows\DUMP6978.tmp
2010-05-12 01:49:47 94208 ----a-w- c:\windows\DUMP6968.tmp
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2006-10-02 23:49:42 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 13:07:51.94 ===============
Attached Files
File Type: zip ark.zip (3.6 KB, 3 views)

__________________
nathansmith_6 is offline  
Old 06-13-2010, 11:31 PM   #2
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hello nathansmith_6 and welcome to TSF,

Please subscribe to this thread to get immediate notification of replies (if you haven't already) as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

-------------------------

I am sorry to tell you that one or more of the identified infections is a backdoor trojan / rootkit .

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

--------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

-------------------------------

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

=========================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure of how to do it, please read here.

Please include the C:\ComboFix.txt in your next reply for further review. But make sure you have re-enabled your anti virus and anti malware programs before you reply.

__________________
vpw_pearl is offline  
Old 06-14-2010, 05:34 PM   #3
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



ComboFix 10-06-14.02 - Nathan Smith 14/06/2010 20:21:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.656 [GMT -4:00]
Running from: c:\documents and settings\Nathan Smith.NATHAN\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\nathan smith.nathan\local settings\application data\mwackolbe\mqefiew.exe
c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\syssvc.exe
c:\documents and settings\nathan smith.nathan\local settings\application data\uxyjvvs\fvaammm.exe

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-05-23 21:39 . 2010-05-23 21:39 34 ----a-w- c:\windows\system32\BD7220.DAT
2010-05-23 21:38 . 2006-01-18 18:17 11904 ----a-w- c:\windows\system32\drivers\BrUsbSer.sys
2010-05-23 21:38 . 2006-01-18 13:44 53248 ----a-w- c:\windows\system32\drivers\BrSerIf.sys
2010-05-23 21:38 . 2004-11-02 12:19 120832 ----a-w- c:\windows\system32\BrWia04b.dll
2010-05-23 21:38 . 2004-10-15 03:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2010-05-23 21:38 . 2004-09-21 04:11 37888 ----a-w- c:\windows\system32\BrUSi04b.dll
2010-05-23 21:32 . 2004-08-04 03:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-05-23 21:32 . 2004-08-04 03:01 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-05-23 21:32 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-05-23 21:32 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-05-21 14:58 . 2010-05-21 14:58 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\Adobe
2010-05-21 14:58 . 2010-05-21 14:58 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\AdobeUM
2010-05-18 02:41 . 2010-05-18 02:41 50354 ----a-w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Facebook\uninstall.exe
2010-05-18 02:41 . 2010-05-18 02:41 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Facebook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 23:34 . 2010-06-13 20:05 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\uTorrent
2010-06-12 17:14 . 2010-06-12 17:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-12 13:24 . 2010-05-13 00:03 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\vlc
2010-06-05 13:22 . 2010-05-15 16:45 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\DivX
2010-05-16 13:18 . 2010-05-12 06:22 64184 ----a-w- c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-15 21:02 . 2007-01-29 18:34 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-15 19:46 . 2010-05-15 19:46 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Sonic
2010-05-15 19:46 . 2010-05-15 19:46 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Leadertech
2010-05-15 17:30 . 2010-05-15 17:28 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Apple Computer
2010-05-15 17:28 . 2010-05-15 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-15 17:28 . 2009-09-22 12:13 -------- d-----w- c:\program files\iTunes
2010-05-15 17:25 . 2006-09-19 02:07 -------- d-----w- c:\program files\QuickTime
2010-05-15 17:24 . 2009-09-22 12:09 -------- d-----w- c:\program files\Apple Software Update
2010-05-15 17:23 . 2009-09-22 12:12 -------- d-----w- c:\program files\Bonjour
2010-05-15 17:15 . 2006-04-26 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-15 17:15 . 2006-04-26 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-15 17:13 . 2006-04-26 01:02 -------- d-----w- c:\program files\Symantec
2010-05-15 17:05 . 2006-04-26 00:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-15 17:05 . 2006-04-26 00:28 -------- d-----w- c:\program files\HPQ
2010-05-15 17:03 . 2004-08-07 13:10 83191 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-15 16:58 . 2006-04-26 00:57 -------- d-----w- c:\program files\HP
2010-05-13 00:04 . 2006-09-02 17:24 -------- d-----w- c:\program files\Winamp
2010-05-13 00:03 . 2010-05-13 00:03 -------- d-----w- c:\program files\Winamp Detect
2010-05-13 00:00 . 2010-05-13 00:00 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-13 00:00 . 2006-09-15 14:43 -------- d-----w- c:\program files\DivX
2010-05-13 00:00 . 2010-05-12 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-13 00:00 . 2010-05-13 00:00 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-13 00:00 . 2010-05-13 00:00 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-13 00:00 . 2010-05-13 00:00 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-13 00:00 . 2010-05-13 00:00 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-12 06:25 . 2010-05-12 06:22 142 ----a-w- c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\fusioncache.dat
2010-05-12 06:23 . 2010-05-12 06:23 1673 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_Presario V2000 (ET944UA#ABL)_YN_0Pres_QCNF620044K_E410214DB2_46_I3093_SQuanta_V47.0E_BF.25_T060403_WXH2_L409_M895_J100_7AMD_8Turion 64 Technology ML-34_91.79_#060425_N10EC8139_(ET944UA#ABL)_XMOBILE.MRK
2010-05-12 05:24 . 2006-04-26 00:47 -------- d-----w- c:\program files\Sonic
2010-05-12 05:21 . 2006-04-26 00:45 -------- d-----w- c:\program files\MSN Encarta Plus
2010-05-12 05:20 . 2006-04-26 01:13 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2010-05-12 05:20 . 2006-04-26 00:44 -------- d-----w- c:\program files\Microsoft Money 2006
2010-05-12 05:18 . 2006-04-26 01:10 -------- d-----w- c:\program files\Google
2010-05-12 05:18 . 2006-04-26 00:48 -------- d-----w- c:\program files\Common Files\TiVo Shared
2010-05-12 05:17 . 2006-04-26 00:47 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-05-12 05:17 . 2006-04-26 00:46 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-05-12 05:17 . 2006-04-26 01:17 -------- d-----w- c:\program files\Common Files\LightScribe
2010-05-12 05:16 . 2006-04-26 01:32 -------- d-----w- c:\program files\Common Files\Java
2010-05-12 05:16 . 2006-04-26 00:23 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-12 05:13 . 2006-04-26 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-05-12 05:13 . 2006-04-26 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\hpqwmi
2010-05-12 02:07 . 2006-09-02 12:19 90112 ----a-w- c:\windows\DUMP6978.tmp
2010-05-12 01:49 . 2006-09-02 12:19 94208 ----a-w- c:\windows\DUMP6968.tmp
2010-04-28 19:45 . 2010-04-28 19:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-20 16:13 . 2010-04-20 16:13 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-20 16:11 . 2010-04-20 16:11 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-10-02 23:49 . 2006-10-02 23:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-10-14 1385400]
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-11-21 372224]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-12-25 229376]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-24 389120]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [15/12/2004 11:18 AM 200192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-fuqhdciayl - c:\documents and settings\nathan smith.nathan\local settings\application data\uxyjvvs\fvaammm.exe
HKCU-Run-rslhudiav - c:\documents and settings\nathan smith.nathan\local settings\application data\mwackolbe\mqefiew.exe
HKLM-Run-fuqhdciayl - c:\documents and settings\nathan smith.nathan\local settings\application data\uxyjvvs\fvaammm.exe
HKLM-Run-rslhudiav - c:\documents and settings\nathan smith.nathan\local settings\application data\mwackolbe\mqefiew.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 20:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe???????????????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84401EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7534fc3
\Driver\ACPI -> ACPI.sys @ 0xf73a7cb8
\Driver\atapi -> atapi.sys @ 0xf73417b4
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x805780c2
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x805780c2
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf724eba0
PacketIndicateHandler -> NDIS.sys @ 0xf725bb21
SendHandler -> NDIS.sys @ 0xf723987b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-14 20:30:42
ComboFix-quarantined-files.txt 2010-06-15 00:30
ComboFix2.txt 2009-11-12 14:02
ComboFix3.txt 2009-11-10 03:09
ComboFix4.txt 2009-07-05 22:42
ComboFix5.txt 2010-06-14 23:35

Pre-Run: 8,202,534,912 bytes free
Post-Run: 8,284,250,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 24D4EB56E8137011DDC05BA34066DE2C
Attached Files
File Type: txt log.txt (13.8 KB, 2 views)
__________________
nathansmith_6 is offline  
Old 06-14-2010, 07:55 PM   #4
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hi nathansmith_6,

Please reboot your machine before you do the following instruction:

-------------------------------------

Please download mbr.exe from here to your desktop.

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Quote:
@echo off
mbr.exe -t
start mbr.log
del %0
Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:

Place peek.bat next to mbr.exe & then double click to run it. A log file will open.

Post back to tell me what it says, along with an update of your system behaviour.

------------------------------------------
__________________
vpw_pearl is offline  
Old 06-15-2010, 04:40 AM   #5
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



Hi,

I am still getting the redirects when I do a search on Google and click results... Being redirected to advertising pages.

This is what I got when I ran the .bat file:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x843FFEC5]<<
kernel: MBR read successfully
user & kernel MBR OK
__________________
nathansmith_6 is offline  
Old 06-15-2010, 09:57 AM   #6
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hi nathansmith_6,

It seems that your other disk controller is still being hijacked. We need to pindown which one it is. Hopefully, the following tool will be able to show us... meanwhile, please refrain using the infected machine from any internet activity, if possible for the time being, other than the instructions you receive here.


----------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

-----------------------------

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.
(In your case, you already have Recovery Console installed, just make sure you read and understand how to boot into the Microsoft Recovery Console, as it is needed in the following instruction)

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C:

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results in your next reply.

================

NEXT

Click Start > Run, type Notepad and copy/paste the following code:
Code:
@echo off
dir /a "c:\qoobox">lookit.txt
lookit.txt
del %0
Save as filename look.bat to your desktop , choose to save as type "All Files". Click OK.
It should look like this:

Double click on " look.bat " and copy/paste the log that pops up into your next reply, as well.

==================


Quick check with you:

Your currently installed Service Pack is outdated. This issue was also raised by the Helper helping you last year, that you had to update your service pack as the latest version (Service Pack 3) had been released, in order to avoid re-infections / any security vulnerabilities. Is there a special reason why you didn't do so?
__________________
vpw_pearl is offline  
Old 06-15-2010, 05:02 PM   #7
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



Hi,
I had upgraded my SP but when I had a recurring fatal memory dump, so reinstalled from my boot disk. I think that may have brought me back to my old service pack - along with bringing back this virus. Only speculation though as I don't know much about computer programs.

Maxlook results:
Run from C:\Documents and Settings\Nathan Smith.NATHAN\Desktop\maxlook.exe on 15/06/2010 at 19:57:12.89

No infected file found

Rogue configuration file = C:\WINDOWS\system32\config\system.sav


Look.bat results
Volume in drive C has no label.
Volume Serial Number is 7553-FE1B

Directory of c:\qoobox

14/06/2010 08:30 PM <DIR> .
14/06/2010 08:30 PM <DIR> ..
14/06/2010 08:30 PM 2,941 Add-Remove Programs.txt
12/11/2009 09:51 AM <DIR> BackEnv
03/07/2009 07:17 PM 1,009 CFScript_used_2009-07-03_20.28.50.txt
05/07/2009 05:31 PM 267 CFScript_used_2009-07-05_19.35.17.txt
11/11/2009 05:42 PM 1,138 CFScript_used_2009-11-12_09.53.03.txt
14/06/2010 08:30 PM 7,122 ComboFix-quarantined-files.txt
12/11/2009 10:02 AM 15,052 ComboFix2.txt
09/11/2009 11:09 PM 27,826 ComboFix3.txt
05/07/2009 06:42 PM 15,291 ComboFix4.txt
14/06/2010 07:35 PM 14,177 ComboFix5.txt
08/11/2009 01:08 PM <DIR> Quarantine
02/07/2009 08:03 PM 921,075 SnapShot@2009-07-02_23.59.54.dat
14/06/2010 08:29 PM 1,028,959 SnapShot@2010-06-15_00.28.46.dat
09/11/2009 11:08 PM 924,797 SnapShot_2009-11-10_03.04.08.dat
12 File(s) 2,959,654 bytes
4 Dir(s) 8,249,012,224 bytes free
Attached Files
File Type: txt lookit.txt (1.2 KB, 3 views)
File Type: txt looklog.txt (201 Bytes, 2 views)
__________________
nathansmith_6 is offline  
Old 06-15-2010, 08:12 PM   #8
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hi nathansmith_6,

Click Start > Run, type or copy/paste the following into the run box:

maxlook -sig

Follow the prompts (the tool may need an active internet connection to download some extra file), and post the log produced, C:\looklog.txt


--------------------------

Quote:
I had upgraded my SP but when I had a recurring fatal memory dump, so reinstalled from my boot disk. I think that may have brought me back to my old service pack - along with bringing back this virus.
For some reason, you could always try to restore your machine to an earlier point when you think it's not infected if your machine were still able to boot normally. And if you did a clean-reinstall on your machine, the infections (if any) should have been gone.

-------------------

Quote:
14/06/2010 07:35 PM 14,177 ComboFix5.txt
Did you do any edit or rename of the latest ComboFix log on your machine?
__________________
vpw_pearl is offline  
Old 06-16-2010, 03:54 AM   #9
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



Hi,

I didn't edit or rename any of the latest combofix files on my machine. I do not think it was a clean reinstall - I used a boot disk that I created.

Latest looklog file:
Code:
Run from C:\Documents and Settings\Nathan Smith.NATHAN\Desktop\maxlook.exe on 16/06/2010 at  6:40:54.29

--------- maxlook unsigned files ---------

c:\windows\maxdriver\bcbthub.sys:
	Verified:	Unsigned
	File date:	12:15 PM 15/11/2002
	Publisher:	Broadcom Corporation
	Description:	USB Driver for Bluetooth Adapter
	Product:	USB Driver for Broadcom Blutonium Bluetooth Adapter
	Version:	3.3.0.0
	File version:	3.3.0.0
c:\windows\maxdriver\btaudio.sys:
	Verified:	Unsigned
	File date:	11:43 AM 16/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Bluetooth Audio Device
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\maxdriver\btkrnl.sys:
	Verified:	Unsigned
	File date:	2:40 PM 16/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Bluetooth Bus Enumerator
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\maxdriver\btport.sys:
	Verified:	Unsigned
	File date:	11:38 AM 16/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Bluetooth BTPORT Driver for Windows 2000
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\maxdriver\btwdndis.sys:
	Verified:	Unsigned
	File date:	11:35 AM 16/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Bluetooth LAN Access Server Driver
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\maxdriver\btwusb.sys:
	Verified:	Unsigned
	File date:	4:22 AM 18/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Driver for Bluetooth USB Devices
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\maxdriver\rasacd.sys:
	Verified:	Unsigned
	File date:	4:00 AM 04/08/2004
	Publisher:	n/a
	Description:	n/a
	Product:	n/a
	Version:	n/a
	File version:	n/a

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\bcbthub.sys:
	Verified:	Unsigned
	File date:	12:15 PM 15/11/2002
	Publisher:	Broadcom Corporation
	Description:	USB Driver for Bluetooth Adapter
	Product:	USB Driver for Broadcom Blutonium Bluetooth Adapter
	Version:	3.3.0.0
	File version:	3.3.0.0
c:\windows\system32\drivers\btaudio.sys:
	Verified:	Unsigned
	File date:	11:43 AM 16/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Bluetooth Audio Device
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\system32\drivers\btkrnl.sys:
	Verified:	Unsigned
	File date:	2:40 PM 16/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Bluetooth Bus Enumerator
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\system32\drivers\btport.sys:
	Verified:	Unsigned
	File date:	11:38 AM 16/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Bluetooth BTPORT Driver for Windows 2000
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\system32\drivers\btwdndis.sys:
	Verified:	Unsigned
	File date:	11:35 AM 16/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Bluetooth LAN Access Server Driver
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601
c:\windows\system32\drivers\btwusb.sys:
	Verified:	Unsigned
	File date:	4:22 AM 18/08/2005
	Publisher:	Broadcom Corporation.
	Description:	Driver for Bluetooth USB Devices
	Product:	Bluetooth Software 4.0.1.2601
	Version:	4.0.1.2601
	File version:	4.0.1.2601


Rogue configuration file = C:\WINDOWS\system32\config\system.sav
Attached Files
File Type: txt looklog2.txt (3.6 KB, 3 views)
__________________
nathansmith_6 is offline  
Old 06-16-2010, 09:47 AM   #10
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hi nathansmith_6,


Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    c:\windows\maxdriver\rasacd.sys

  • Then click the "Send File" button just below.
  • This will scan the file. Please be patient.
  • If the file is analyzed before, click Reanalyse file now button.
  • Wait until the file is analyzed.
  • Once scanned, copy and paste the links result (from the address bar) in your next reply.
  • Please repeat the above instruction (process) for the following file:

    c:\windows\system32\drivers\rasacd.sys

--------------------

Also, please do this:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\rasacd.*" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.
__________________
vpw_pearl is offline  
Old 06-16-2010, 05:58 PM   #11
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



I am still having the same issues (links that redirect, pop ups) and now sometimes my mouse moves on my desktop but I cannot click anything with the mouse - start menu, desktop folders, etc. I cannot click.

http://www.virustotal.com/analisis/1...707-1276736136
http://www.virustotal.com/analisis/9...692-1276735086



----a-w- 5,083 2004-08-04 13:00:00 C:\I386\RASACD.SY_
----a-w- 8,832 2004-08-04 08:00:00 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rasacd.sys.vir
----a-w- 8,832 2004-08-04 08:00:00 C:\WINDOWS\maxdriver\rasacd.sys
----a-w- 8,832 2004-08-04 08:00:00 C:\WINDOWS\system32\drivers\rasacd.sys

Entries: 4 (4)
Directories: 0 Files: 4
Bytes: 31,579 Blocks: 64
__________________
nathansmith_6 is offline  
Old 06-17-2010, 06:53 AM   #12
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hi nathansmith_6,


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure of how to do it, please read here.

3. Open notepad and copy/paste the text in the quotebox below into it:
Quote:
TDL::
C:\WINDOWS\system32\DRIVERS\rasacd.sys
Save this as CFScript.txt, in the same location as ComboFix.exe





Referring to the picture above, drag CFScript into ComboFix.exe

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. But make sure you have re-enabled your anti virus and anti malware programs before you reply.
__________________
vpw_pearl is offline  
Old 06-17-2010, 05:08 PM   #13
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



Log file attached. Google search results actually bringing the correct links now.


ComboFix 10-06-14.02 - Nathan Smith 17/06/2010 19:50:40.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.654 [GMT -4:00]
Running from: c:\documents and settings\Nathan Smith.NATHAN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nathan Smith.NATHAN\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cooper.mine
c:\windows\system32\h7t.wt
c:\windows\system32\hgtd.ruy
c:\windows\system32\nmklo.dll

Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-16 10:40 . 2010-06-07 20:16 220024 ----a-w- c:\windows\sigcheck.exe
2010-06-15 23:52 . 2010-06-15 23:57 -------- d-----w- c:\windows\maxdriver
2010-06-15 17:18 . 2010-06-17 23:55 577024 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-06-13 20:05 . 2010-06-14 23:34 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\uTorrent
2010-06-12 17:14 . 2010-06-12 17:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-12 17:14 . 2010-06-12 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-12 14:37 . 2010-06-12 14:37 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-07 16:09 . 2010-06-15 00:28 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\mwackolbe
2010-06-07 16:09 . 2010-06-15 00:28 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\uxyjvvs
2010-05-23 21:39 . 2010-05-23 21:39 34 ----a-w- c:\windows\system32\BD7220.DAT
2010-05-23 21:38 . 2006-01-18 18:17 11904 ----a-w- c:\windows\system32\drivers\BrUsbSer.sys
2010-05-23 21:38 . 2006-01-18 13:44 53248 ----a-w- c:\windows\system32\drivers\BrSerIf.sys
2010-05-23 21:38 . 2004-11-02 12:19 120832 ----a-w- c:\windows\system32\BrWia04b.dll
2010-05-23 21:38 . 2004-10-15 03:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2010-05-23 21:38 . 2004-09-21 04:11 37888 ----a-w- c:\windows\system32\BrUSi04b.dll
2010-05-23 21:32 . 2004-08-04 03:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-05-23 21:32 . 2004-08-04 03:01 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-05-23 21:32 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-05-23 21:32 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-05-21 14:58 . 2010-05-21 14:58 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\Adobe
2010-05-21 14:58 . 2010-05-21 14:58 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 23:55 . 2004-08-04 08:00 577024 ----a-w- c:\windows\system32\user32.dll
2010-06-12 13:24 . 2010-05-13 00:03 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\vlc
2010-06-05 13:22 . 2010-05-15 16:45 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\DivX
2010-05-18 02:41 . 2010-05-18 02:41 50354 ----a-w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Facebook\uninstall.exe
2010-05-18 02:41 . 2010-05-18 02:41 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Facebook
2010-05-16 13:18 . 2010-05-12 06:22 64184 ----a-w- c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-15 21:02 . 2007-01-29 18:34 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-15 19:46 . 2010-05-15 19:46 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Sonic
2010-05-15 19:46 . 2010-05-15 19:46 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Leadertech
2010-05-15 17:30 . 2010-05-15 17:28 -------- d-----w- c:\documents and settings\Nathan Smith.NATHAN\Application Data\Apple Computer
2010-05-15 17:28 . 2010-05-15 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-15 17:28 . 2009-09-22 12:13 -------- d-----w- c:\program files\iTunes
2010-05-15 17:25 . 2006-09-19 02:07 -------- d-----w- c:\program files\QuickTime
2010-05-15 17:24 . 2009-09-22 12:09 -------- d-----w- c:\program files\Apple Software Update
2010-05-15 17:23 . 2009-09-22 12:12 -------- d-----w- c:\program files\Bonjour
2010-05-15 17:15 . 2006-04-26 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-15 17:15 . 2006-04-26 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-15 17:13 . 2006-04-26 01:02 -------- d-----w- c:\program files\Symantec
2010-05-15 17:05 . 2006-04-26 00:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-15 17:05 . 2006-04-26 00:28 -------- d-----w- c:\program files\HPQ
2010-05-15 17:03 . 2004-08-07 13:10 83191 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-15 16:58 . 2006-04-26 00:57 -------- d-----w- c:\program files\HP
2010-05-13 00:04 . 2006-09-02 17:24 -------- d-----w- c:\program files\Winamp
2010-05-13 00:03 . 2010-05-13 00:03 -------- d-----w- c:\program files\Winamp Detect
2010-05-13 00:00 . 2010-05-13 00:00 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-13 00:00 . 2006-09-15 14:43 -------- d-----w- c:\program files\DivX
2010-05-13 00:00 . 2010-05-12 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-13 00:00 . 2010-05-13 00:00 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-13 00:00 . 2010-05-13 00:00 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-13 00:00 . 2010-05-13 00:00 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-13 00:00 . 2010-05-13 00:00 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-12 06:25 . 2010-05-12 06:22 142 ----a-w- c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\fusioncache.dat
2010-05-12 06:23 . 2010-05-12 06:23 1673 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_Presario V2000 (ET944UA#ABL)_YN_0Pres_QCNF620044K_E410214DB2_46_I3093_SQuanta_V47.0E_BF.25_T060403_WXH2_L409_M895_J100_7AMD_8Turion 64 Technology ML-34_91.79_#060425_N10EC8139_(ET944UA#ABL)_XMOBILE.MRK
2010-05-12 05:24 . 2006-04-26 00:47 -------- d-----w- c:\program files\Sonic
2010-05-12 05:21 . 2006-04-26 00:45 -------- d-----w- c:\program files\MSN Encarta Plus
2010-05-12 05:20 . 2006-04-26 01:13 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2010-05-12 05:20 . 2006-04-26 00:44 -------- d-----w- c:\program files\Microsoft Money 2006
2010-05-12 05:18 . 2006-04-26 01:10 -------- d-----w- c:\program files\Google
2010-05-12 05:18 . 2006-04-26 00:48 -------- d-----w- c:\program files\Common Files\TiVo Shared
2010-05-12 05:17 . 2006-04-26 00:47 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-05-12 05:17 . 2006-04-26 00:46 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-05-12 05:17 . 2006-04-26 01:17 -------- d-----w- c:\program files\Common Files\LightScribe
2010-05-12 05:16 . 2006-04-26 01:32 -------- d-----w- c:\program files\Common Files\Java
2010-05-12 05:16 . 2006-04-26 00:23 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-12 05:13 . 2006-04-26 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-05-12 05:13 . 2006-04-26 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\hpqwmi
2010-05-12 02:07 . 2006-09-02 12:19 90112 ----a-w- c:\windows\DUMP6978.tmp
2010-05-12 01:49 . 2006-09-02 12:19 94208 ----a-w- c:\windows\DUMP6968.tmp
2010-04-28 19:45 . 2010-04-28 19:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-20 16:13 . 2010-04-20 16:13 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-20 16:11 . 2010-04-20 16:11 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-10-02 23:49 . 2006-10-02 23:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((( SnapShot@2010-06-15_00.28.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 06:02 . 2010-06-15 00:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-12 06:02 . 2010-06-12 14:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-12 06:02 . 2010-06-15 00:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-05-12 06:02 . 2010-06-12 14:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-15 04:36 . 2010-06-15 00:20 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-05-12 06:02 . 2010-06-12 14:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 08:00 . 2004-08-04 08:00 12032 c:\windows\maxdriver\ws2ifsl.sys
+ 2004-08-11 08:45 . 2005-01-28 20:44 18944 c:\windows\maxdriver\wpdusb.sys
+ 2006-04-25 23:18 . 2004-08-04 06:15 82944 c:\windows\maxdriver\wdmaud.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 34560 c:\windows\maxdriver\wanarp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 52352 c:\windows\maxdriver\volsnap.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 79744 c:\windows\maxdriver\videoprt.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 20992 c:\windows\maxdriver\vga.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 58112 c:\windows\maxdriver\vdmindvd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 20480 c:\windows\maxdriver\usbuhci.sys
+ 2010-05-15 16:43 . 2004-08-04 03:08 26496 c:\windows\maxdriver\USBSTOR.SYS
+ 2010-05-23 21:32 . 2004-08-04 03:01 25856 c:\windows\maxdriver\usbprint.sys
+ 2006-04-25 23:17 . 2004-08-04 06:08 17024 c:\windows\maxdriver\usbohci.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 16000 c:\windows\maxdriver\usbintel.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 57600 c:\windows\maxdriver\usbhub.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 26624 c:\windows\maxdriver\usbehci.sys
+ 2010-05-23 21:32 . 2004-08-04 03:08 31616 c:\windows\maxdriver\usbccgp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 23936 c:\windows\maxdriver\usbcamd2.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 23808 c:\windows\maxdriver\usbcamd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12672 c:\windows\maxdriver\usb8023.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 66176 c:\windows\maxdriver\udfs.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12416 c:\windows\maxdriver\tunmp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 21376 c:\windows\maxdriver\tsbvcap.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 51712 c:\windows\maxdriver\tosdvd.sys
+ 2004-08-04 03:01 . 2004-08-04 03:01 40840 c:\windows\maxdriver\termdd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 21896 c:\windows\maxdriver\tdtcp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12040 c:\windows\maxdriver\tdpipe.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 18560 c:\windows\maxdriver\tdi.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 14976 c:\windows\maxdriver\tape.sys
+ 2006-04-25 23:18 . 2004-08-04 06:15 60800 c:\windows\maxdriver\sysaudio.sys
+ 2006-04-25 23:18 . 2001-08-17 21:00 54272 c:\windows\maxdriver\swmidi.sys
+ 2004-08-04 08:00 . 2004-08-04 06:08 48640 c:\windows\maxdriver\stream.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 73472 c:\windows\maxdriver\sr.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 25472 c:\windows\maxdriver\sonydcam.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 14592 c:\windows\maxdriver\smclib.sys
+ 2006-04-26 00:21 . 2001-08-17 19:10 35913 c:\windows\maxdriver\smcirda.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 11392 c:\windows\maxdriver\sfloppy.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 10240 c:\windows\maxdriver\sffp_sd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 11136 c:\windows\maxdriver\sffdisk.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 64896 c:\windows\maxdriver\serial.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 15488 c:\windows\maxdriver\serenum.sys
+ 2010-06-15 23:57 . 2002-09-18 10:38 82944 c:\windows\maxdriver\sed.exe
+ 2004-08-04 08:00 . 2004-08-04 08:00 27440 c:\windows\maxdriver\secdrv.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 67584 c:\windows\maxdriver\sdbus.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 96256 c:\windows\maxdriver\scsiport.sys
+ 2005-03-03 19:10 . 2005-03-03 19:10 74496 c:\windows\maxdriver\Rtlnicxp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 30080 c:\windows\maxdriver\rndismp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12032 c:\windows\maxdriver\riodrv.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12032 c:\windows\maxdriver\rio8drv.sys
+ 2006-04-25 23:17 . 2004-08-04 05:59 57472 c:\windows\maxdriver\redbook.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 34432 c:\windows\maxdriver\rawwan.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 16512 c:\windows\maxdriver\raspti.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 48384 c:\windows\maxdriver\raspptp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 41472 c:\windows\maxdriver\raspppoe.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 51328 c:\windows\maxdriver\rasl2tp.sys
+ 2001-08-17 08:51 . 2001-08-17 08:51 19584 c:\windows\maxdriver\rasirda.sys
+ 2005-04-25 09:03 . 2009-04-28 20:20 44944 c:\windows\maxdriver\pxhelp20.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 17792 c:\windows\maxdriver\ptilink.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 69120 c:\windows\maxdriver\psched.sys
+ 2004-08-04 08:00 . 2004-08-27 21:42 35456 c:\windows\maxdriver\processr.sys
+ 2004-08-04 00:59 . 2004-08-04 00:59 25088 c:\windows\maxdriver\pciidex.sys
+ 2004-08-04 01:07 . 2004-08-04 01:07 68224 c:\windows\maxdriver\pci.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 18688 c:\windows\maxdriver\partmgr.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 80128 c:\windows\maxdriver\parport.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 42496 c:\windows\maxdriver\p3.sys
+ 2004-08-04 08:00 . 2004-09-27 22:19 61056 c:\windows\maxdriver\ohci1394.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 55936 c:\windows\maxdriver\nwlnkspx.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 63232 c:\windows\maxdriver\nwlnknb.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 88448 c:\windows\maxdriver\nwlnkipx.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 32512 c:\windows\maxdriver\nwlnkfwd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12416 c:\windows\maxdriver\nwlnkflt.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 30848 c:\windows\maxdriver\npfs.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 40320 c:\windows\maxdriver\nmnt.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12032 c:\windows\maxdriver\nikedrv.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 61824 c:\windows\maxdriver\nic1394.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 34560 c:\windows\maxdriver\netbios.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 38016 c:\windows\maxdriver\ndproxy.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 91776 c:\windows\maxdriver\ndiswan.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12928 c:\windows\maxdriver\ndisuio.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 15488 c:\windows\maxdriver\mssmbios.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 35072 c:\windows\maxdriver\msgpc.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 19072 c:\windows\maxdriver\msfs.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 42240 c:\windows\maxdriver\mountmgr.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 23040 c:\windows\maxdriver\mouclass.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 30080 c:\windows\maxdriver\modem.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 63744 c:\windows\maxdriver\mf.sys
+ 2004-03-17 11:04 . 2004-03-17 11:04 13059 c:\windows\maxdriver\mdmxsdk.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 92032 c:\windows\maxdriver\ksecdd.sys
+ 2004-08-04 08:00 . 2004-08-04 02:58 24576 c:\windows\maxdriver\kbdclass.sys
+ 2001-08-17 15:58 . 2001-08-17 15:58 35840 c:\windows\maxdriver\isapnp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 11264 c:\windows\maxdriver\irenum.sys
+ 2004-08-03 18:00 . 2004-08-03 18:00 87424 c:\windows\maxdriver\irda.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 74752 c:\windows\maxdriver\ipsec.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 20992 c:\windows\maxdriver\ipinip.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 32896 c:\windows\maxdriver\ipfltdrv.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 29056 c:\windows\maxdriver\ip6fw.sys
+ 2006-04-26 00:37 . 2004-08-27 21:42 36096 c:\windows\maxdriver\intelppm.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 41856 c:\windows\maxdriver\imapi.sys
+ 2004-08-04 08:00 . 2004-08-04 03:14 52736 c:\windows\maxdriver\i8042prt.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 24960 c:\windows\maxdriver\hidparse.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 36224 c:\windows\maxdriver\hidclass.sys
+ 2010-05-15 17:28 . 2009-05-18 17:17 26600 c:\windows\maxdriver\GEARAspiWDM.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 12160 c:\windows\maxdriver\fsvga.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 20480 c:\windows\maxdriver\flpydisk.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 34944 c:\windows\maxdriver\fips.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 27392 c:\windows\maxdriver\fdc.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 71040 c:\windows\maxdriver\dxg.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 10496 c:\windows\maxdriver\dxapi.sys
+ 2006-04-25 23:17 . 2004-08-04 06:08 60288 c:\windows\maxdriver\drmk.sys
+ 2006-04-25 23:18 . 2004-08-04 06:07 52864 c:\windows\maxdriver\DMusic.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 14208 c:\windows\maxdriver\diskdump.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 36352 c:\windows\maxdriver\disk.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 36480 c:\windows\maxdriver\crusoe.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 11776 c:\windows\maxdriver\cpqdap01.sys
+ 2004-08-03 18:07 . 2004-08-03 18:07 14080 c:\windows\maxdriver\CmBatt.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 49664 c:\windows\maxdriver\classpnp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 49536 c:\windows\maxdriver\cdrom.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 63744 c:\windows\maxdriver\cdfs.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 18688 c:\windows\maxdriver\cdaudio.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 13952 c:\windows\maxdriver\cbidf2k.sys
+ 2005-02-18 15:41 . 2005-02-18 15:41 38016 c:\windows\maxdriver\camc6aud.sys
+ 2005-08-18 08:22 . 2005-08-18 08:22 56648 c:\windows\maxdriver\btwusb.sys
+ 2005-08-16 15:38 . 2005-08-16 15:38 30363 c:\windows\maxdriver\btport.sys
+ 2010-05-23 21:38 . 2006-01-18 18:17 11904 c:\windows\maxdriver\BrUsbSer.sys
+ 2010-05-23 21:38 . 2006-01-18 13:44 53248 c:\windows\maxdriver\BrSerIf.sys
+ 2010-05-23 21:38 . 2004-10-15 03:50 15295 c:\windows\maxdriver\BrScnUsb.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 71552 c:\windows\maxdriver\bridge.sys
+ 2001-08-17 08:57 . 2001-08-17 08:57 14080 c:\windows\maxdriver\battc.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 55936 c:\windows\maxdriver\atmlane.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 31360 c:\windows\maxdriver\atmepvc.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 59904 c:\windows\maxdriver\atmarpc.sys
+ 2004-08-04 00:59 . 2004-08-04 00:59 95360 c:\windows\maxdriver\atapi.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 14336 c:\windows\maxdriver\asyncmac.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 60800 c:\windows\maxdriver\arp1394.sys
+ 2006-04-26 00:26 . 2005-03-09 22:53 36352 c:\windows\maxdriver\AmdK8.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 37376 c:\windows\maxdriver\amdk7.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 36992 c:\windows\maxdriver\amdk6.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 11648 c:\windows\maxdriver\acpiec.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 53248 c:\windows\maxdriver\1394bus.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 8832 c:\windows\system32\dllcache\rasacd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 4352 c:\windows\maxdriver\wmilib.sys
+ 2004-08-03 18:07 . 2004-08-03 18:07 8832 c:\windows\maxdriver\wmiacpi.sys
+ 2004-08-04 00:59 . 2004-08-04 00:59 5376 c:\windows\maxdriver\viaide.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 4736 c:\windows\maxdriver\usbd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 4352 c:\windows\maxdriver\swenum.sys
+ 2006-04-25 23:18 . 2004-08-04 06:07 6400 c:\windows\maxdriver\splitter.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 5888 c:\windows\maxdriver\rootmdm.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 4224 c:\windows\maxdriver\rdpcdd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 8832 c:\windows\maxdriver\rasacd.sys
+ 2001-08-17 15:51 . 2001-08-17 15:51 3328 c:\windows\maxdriver\pciide.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 6784 c:\windows\maxdriver\parvdm.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 3456 c:\windows\maxdriver\oprghdlr.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 2944 c:\windows\maxdriver\null.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 9600 c:\windows\maxdriver\ndistapi.sys
+ 2006-04-25 23:18 . 2004-08-04 05:58 4992 c:\windows\maxdriver\MSPQM.sys
+ 2006-04-25 23:18 . 2004-08-04 05:58 5376 c:\windows\maxdriver\MSPCLOCK.sys
+ 2006-04-25 23:18 . 2004-08-04 05:58 7552 c:\windows\maxdriver\MSKSSRV.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 4224 c:\windows\maxdriver\mnmdd.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 7680 c:\windows\maxdriver\mcd.sys
+ 2004-08-04 00:59 . 2004-08-04 00:59 5504 c:\windows\maxdriver\intelide.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 7936 c:\windows\maxdriver\fs_rec.sys
+ 2001-08-17 08:46 . 2001-08-17 08:46 6400 c:\windows\maxdriver\enum1394.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 3328 c:\windows\maxdriver\dxgthk.sys
+ 2006-04-25 23:18 . 2004-08-04 06:07 2944 c:\windows\maxdriver\drmkaud.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 5888 c:\windows\maxdriver\dmload.sys
+ 2001-08-17 08:58 . 2001-08-17 08:58 9344 c:\windows\maxdriver\compbatt.sys
+ 2010-05-13 00:02 . 2009-04-28 20:20 9200 c:\windows\maxdriver\cdralw2k.sys
+ 2010-05-13 00:02 . 2009-04-28 20:20 9072 c:\windows\maxdriver\cdr4_xp.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 4224 c:\windows\maxdriver\beep.sys
+ 2001-08-17 08:59 . 2001-08-17 08:59 3072 c:\windows\maxdriver\audstub.sys
+ 2001-08-17 15:51 . 2001-08-17 15:51 5248 c:\windows\maxdriver\aliide.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 142976 c:\windows\maxdriver\usbport.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 209408 c:\windows\maxdriver\update.sys
+ 2005-09-20 07:30 . 2005-09-20 07:30 162432 c:\windows\maxdriver\tifm21.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 223616 c:\windows\maxdriver\tcpip6.sys
+ 2004-08-04 08:00 . 2006-01-13 02:28 359808 c:\windows\maxdriver\tcpip.sys
+ 2006-04-26 00:49 . 2005-02-02 11:58 191456 c:\windows\maxdriver\SynTP.sys
+ 2004-08-04 08:00 . 2005-05-10 00:17 332544 c:\windows\maxdriver\srv.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 200064 c:\windows\maxdriver\RMCast.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 139400 c:\windows\maxdriver\rdpwd.sys
+ 2004-08-04 01:01 . 2004-08-04 01:01 196864 c:\windows\maxdriver\rdpdr.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 176512 c:\windows\maxdriver\rdbss.sys
+ 2006-04-25 23:17 . 2005-03-22 03:43 145920 c:\windows\maxdriver\portcls.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 119936 c:\windows\maxdriver\pcmcia.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 574592 c:\windows\maxdriver\ntfs.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 162816 c:\windows\maxdriver\netbt.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 182912 c:\windows\maxdriver\ndis.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 107904 c:\windows\maxdriver\mup.sys
+ 2004-08-04 08:00 . 2005-01-19 04:26 451584 c:\windows\maxdriver\mrxsmb.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 181248 c:\windows\maxdriver\mrxdav.sys
+ 2004-08-04 08:00 . 2004-08-04 06:15 140928 c:\windows\maxdriver\ks.sys
+ 2006-04-25 23:18 . 2004-08-04 06:07 171776 c:\windows\maxdriver\kmixer.sys
+ 2004-08-04 08:00 . 2004-09-29 22:28 134912 c:\windows\maxdriver\ipnat.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 263040 c:\windows\maxdriver\http.sys
+ 2004-12-15 15:18 . 2004-12-15 15:18 200192 c:\windows\maxdriver\HSFHWATI.sys
+ 2004-12-15 15:18 . 2004-12-15 15:18 703232 c:\windows\maxdriver\HSF_CNXT.sys
+ 2005-01-08 00:07 . 2005-01-08 00:07 145920 c:\windows\maxdriver\Hdaudio.sys
+ 2005-01-08 00:07 . 2005-01-08 00:07 138752 c:\windows\maxdriver\Hdaudbus.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 125056 c:\windows\maxdriver\ftdisk.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 124800 c:\windows\maxdriver\fltMgr.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 143360 c:\windows\maxdriver\fastfat.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 153344 c:\windows\maxdriver\dmio.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 799744 c:\windows\maxdriver\dmboot.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 262528 c:\windows\maxdriver\cinemst2.sys
+ 2005-02-18 15:42 . 2005-02-18 15:42 349696 c:\windows\maxdriver\camc6hal.sys
+ 2005-08-16 15:35 . 2005-08-16 15:35 148040 c:\windows\maxdriver\btwdndis.sys
+ 2005-08-16 15:43 . 2005-08-16 15:43 401280 c:\windows\maxdriver\btaudio.sys
+ 2005-11-28 09:35 . 2005-11-28 09:35 424320 c:\windows\maxdriver\BCMWL5.SYS
+ 2002-11-15 16:15 . 2002-11-15 16:15 148794 c:\windows\maxdriver\bcbthub.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 352256 c:\windows\maxdriver\atmuni.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 138496 c:\windows\maxdriver\afd.sys
+ 2006-04-25 23:18 . 2004-08-04 05:39 142464 c:\windows\maxdriver\aec.sys
+ 2004-08-04 08:00 . 2004-08-04 08:00 187776 c:\windows\maxdriver\acpi.sys
+ 2010-06-15 23:57 . 2009-12-12 01:48 1041920 c:\windows\maxdriver\pevFind.exe
+ 2004-12-15 15:18 . 2004-12-15 15:18 1038208 c:\windows\maxdriver\HSF_DP.sys
+ 2005-08-16 18:40 . 2005-08-16 18:40 1341466 c:\windows\maxdriver\btkrnl.sys
+ 2005-07-14 13:37 . 2005-07-14 13:37 1269760 c:\windows\maxdriver\ati2mtag.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-10-14 1385400]
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-11-21 372224]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-12-25 229376]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-24 389120]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [15/12/2004 11:18 AM 200192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 19:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe???????????????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HPQ\SHARED\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-06-17 20:02:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-18 00:02
ComboFix2.txt 2010-06-15 00:30
ComboFix3.txt 2009-11-12 14:02
ComboFix4.txt 2009-11-10 03:09
ComboFix5.txt 2010-06-17 23:16

Pre-Run: 8,225,722,368 bytes free
Post-Run: 8,233,668,608 bytes free

- - End Of File - - E4A2E99128B8FD009FA47F086A4167FC
Attached Files
File Type: txt log combofix.txt (34.7 KB, 6 views)
__________________
nathansmith_6 is offline  
Old 06-18-2010, 12:31 AM   #14
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hi nathansmith_6,

Quote:
Google search results actually bringing the correct links now.
Good job!


Now more work to do....

----------------------------------------------------

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

----------------------------------------------------

Please go to: Jotti Scan
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\WINDOWS\system32\config\system.sav

  • Then click the "Submit File" button just below.
  • This will scan the file. Please be patient.
  • If the file is analyzed before, click Reanalyse file now button.
  • Wait until the file is analyzed.
  • Once scanned, copy and paste the link result (from the address bar) in your next reply.

-----------------------------------


I do not see the presence of uTorrent installed any more on your machine. You may have uninstalled the program before starting the topic here. If so, the leftover folder should be fine to delete, along with some malicious folders:


Click Start > Run, type Notepad and copy/paste the following code:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"c:\documents and settings\Nathan Smith.NATHAN\Application Data\uTorrent"
"c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\mwackolbe"
"c:\documents and settings\Nathan Smith.NATHAN\Local Settings\Application Data\uxyjvvs"


) do (
rd /s/q %%g 
if exist %%g echo.%%~g>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted successfully !!

pause
del %0
Save as filename fix.bat to your desktop , choose to save as type "All Files". Click OK.
It should look like this:

Double click on " fix.bat " and let me know what it says in your next reply.

-------------------------------------------------------

NEXT

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 20 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

-------------------------------

NEXT

No AntiVirus Onboard
I see no evidence of an AntiVirus program on your system. This must be resolved. Here are a few very good free Antivirus products which are available:Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

**Note**
If the AntiVirus finds any infected files, please hit the disinfect button when the option pops up at the end of the scan or even in the middle of the scan process.
For Avira it should be Repair All button, for avast! it should be Move to Chest button, while for AVG it should be Move to Quarantine button.



Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

-----------------------------------

NEXT

Please download Malwarebytes' Anti-Malware.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
    ( Should you encounter any problems while downloading the updates, manually download them from here , and just double-click on mbam-rules.exe to install).
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

=========================

CHECKLIST:
- Jotti scan result
- Fix.bat result
- Your AntiVirus scan result
- MBAM log.
- Update of your system behaviour

(No need to attach the logs unless specifically requested to do so. Thanks )
__________________
vpw_pearl is offline  
Old 06-18-2010, 05:22 PM   #15
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



Hi, there was no system.sav file on my system for Jotti Scan to scan.

Fix.bat opened up, did something, said something like success or complete, etc., then deleted itself and closed.

System seems to be behaving decently... no pop ups, etc.

MBAM Log is below:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4213

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

18/06/2010 8:19:27 PM
mbam-log-2010-06-18 (20-19-27).txt

Scan type: Quick scan
Objects scanned: 133092
Time elapsed: 22 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
__________________
nathansmith_6 is offline  
Old 06-18-2010, 09:19 PM   #16
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hi nathansmith_6,


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions, and to help you perform them in the sequence listed below.



Click Start > Run, type or copy/paste the following into the run box:

maxlook -cleanup

A command prompt windows will pop open, please wait until it prompts you 'to press any key to continue' to close the window.

Let me know how it goes in your next reply.

--------------------


Click Start > Run, type Notepad and copy/paste the following code:
Code:
@echo off
if exist log.txt del log.txt
dir "c:\windows\system32\config">log.txt
log.txt
del %0
Save as filename look.bat to your desktop , choose to save as type "All Files". Click OK.
It should look like this:

Double click on " look.bat " and copy/paste the log that pops up into your next reply.

-------------------------


Have you updated your JAVA and installed an antivirus yet? If not, please refer back to my earlier post above and perform the instructions.
It's high time your machine should get some real-time protection onboard, otherwise it will be like an open invitation for (re)infection.

I'd like to see the report of the your antivirus scan result before continuing with the next step.

--------------------------

For review, please run DDS scan again and post the fresh logs provided in your next reply, as well.


=================

CHECKLIST:
- maxlook cleanup
- look.bat log (log.txt)
- Antivirus scan result
- DDS logs
__________________
vpw_pearl is offline  
Old 06-19-2010, 09:04 AM   #17
Registered Member
 
Join Date: Jul 2009
Posts: 26
OS: Windows XP



Java updated, AVG installed for anti-virus. I don't think that AVG generated a log file of its scan...

The computer seems to be running pretty well at this point. Awesome - Thanks so much!

Maxlook cleanup worked - nothing to report on that.

Here is the look.bat log file requested:

Volume in drive C has no label.
Volume Serial Number is 7553-FE1B

Directory of c:\windows\system32\config

17/06/2010 07:48 PM <DIR> .
17/06/2010 07:48 PM <DIR> ..
18/06/2010 07:32 PM 524,288 AppEvent.Evt
18/06/2010 07:46 PM 524,288 default
17/06/2010 07:48 PM 524,288 default.bak
07/08/2004 01:45 AM 94,208 default.sav
18/06/2010 07:32 PM 24,576 SAM
17/06/2010 07:48 PM 262,144 SAM.bak
18/06/2010 07:32 PM 524,288 SecEvent.Evt
18/06/2010 07:32 PM 45,056 SECURITY
17/06/2010 07:48 PM 262,144 SECURITY.bak
18/06/2010 07:46 PM 24,903,680 software
17/06/2010 07:48 PM 24,903,680 software.bak
07/08/2004 01:45 AM 634,880 software.sav
18/06/2010 07:32 PM 524,288 SysEvent.Evt
19/06/2010 08:15 AM 4,456,448 system
17/06/2010 07:48 PM 4,456,448 system.bak
17/06/2010 08:02 PM <DIR> systemprofile
07/08/2004 01:45 AM 262,144 userdiff
16 File(s) 62,926,848 bytes
3 Dir(s) 1,850,163,200 bytes free
__________________
nathansmith_6 is offline  
Old 06-19-2010, 06:54 PM   #18
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Hi nathansmith_6,


Did AVG find any threat?


-----------------------

Next is the most time consuming portion, but well worth the peace of mind. :)

Please run this online scan to help look for remnants. This scan can take quite a while, but it's very thorough.

Kaspersky Online Scan
Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------

Quote:
please run DDS scan again and post the fresh logs provided in your next reply, as well.
You missed this part in my earlier post.
__________________
vpw_pearl is offline  
Old 06-23-2010, 10:35 PM   #19
TSF Team, Emeritus
 
vpw_pearl's Avatar
 
Join Date: Apr 2009
Location: CGK
Posts: 1,352
OS: XP



Are you still with me, nathansmith_6? Is everything okay?

I generally unsubscribe from threads after 5 days of inactivity. If I don't receive any reply within 24 hours of this post, this topic will be closed.
__________________
vpw_pearl is offline  
Old 06-25-2010, 03:25 AM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,780
OS: XP Win7 Ubuntu 10.10



Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 10:11 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts