1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Trojan.Bankpatch.C!inf

Discussion in 'Malware and Virus Removal Archive' started by imandy, 2009/08/26.

  1. 2009/09/03
    imandy

    imandy Inactive Thread Starter

    Joined:
    2008/08/18
    Messages:
    48
    Likes Received:
    0
    that's was all there was in the notepad. unless i copied only half without knowing. i deleted the notepad already too.
     
  2. 2009/09/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You should see Combofix.txt in C:\drive.
    Copy the content, and post it back.
    The log file should have EOF mark at the end.
     

  3. to hide this advert.

  4. 2009/09/03
    imandy

    imandy Inactive Thread Starter

    Joined:
    2008/08/18
    Messages:
    48
    Likes Received:
    0
    thanks. i dont know why i only copied half of it. sorry.

    ComboFix 09-09-01.04 - Mandy 09/03/2009 21:16.7.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.419 [GMT -4:00]
    Running from: c:\documents and settings\Mandy\Desktop\s45r34tws.exe
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Downloaded Program Files\webinst.dll
    c:\windows\Installer\711cd22.msp
    c:\windows\Installer\f3284.msp

    c:\windows\system32\grpconv.exe . . . is missing!!

    c:\windows\system32\proquota.exe . . . is missing!!

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
    .

    2009-09-02 22:59 . 2009-09-02 23:22 -------- d-----w- c:\program files\Wolfienetsetup
    2009-09-01 02:12 . 2009-09-01 02:27 -------- d-----w- c:\documents and settings\Mandy\DoctorWeb
    2009-08-31 00:40 . 2009-08-31 00:40 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-08-30 21:40 . 2009-08-30 21:49 117760 ----a-w- c:\documents and settings\Mandy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-08-30 21:39 . 2009-08-30 21:39 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-08-30 21:37 . 2009-08-30 21:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-08-25 00:37 . 2009-08-25 00:37 152576 ----a-w- c:\documents and settings\Mandy\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
    2009-08-11 21:03 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
    2009-08-06 01:05 . 2009-08-06 01:05 -------- d-----w- c:\program files\iPod
    2009-08-06 01:04 . 2009-08-06 01:05 -------- d-----w- c:\program files\iTunes
    2009-08-06 00:10 . 2009-08-06 00:10 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
    2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-31 00:41 . 2008-08-18 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-30 21:39 . 2008-08-18 03:35 -------- d-----w- c:\documents and settings\Mandy\Application Data\SUPERAntiSpyware.com
    2009-08-28 14:41 . 2009-06-05 01:55 -------- d-----w- c:\program files\Maxis
    2009-08-26 18:28 . 2007-03-14 10:03 -------- d-----w- c:\documents and settings\Mandy\Application Data\Apple Computer
    2009-08-25 00:44 . 2006-05-04 10:33 -------- d-----w- c:\program files\Java
    2009-08-06 01:05 . 2007-11-24 16:04 -------- d-----w- c:\program files\Common Files\Apple
    2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-03 17:36 . 2008-08-18 18:03 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 17:36 . 2008-08-18 18:03 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-03 03:45 . 2006-08-29 00:54 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2009-08-03 03:44 . 2006-08-29 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2009-07-25 09:23 . 2009-02-28 19:36 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-14 22:42 . 2008-04-03 08:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-13 23:11 . 2009-06-22 23:09 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
    2009-07-13 23:11 . 2009-06-22 23:08 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
    2009-07-13 23:11 . 2009-06-22 23:07 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
    2009-06-29 23:08 . 2009-06-22 23:09 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
    2009-06-29 23:08 . 2009-06-22 23:09 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
    2009-06-29 23:08 . 2009-06-22 23:08 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
    2009-06-29 23:08 . 2009-06-22 23:08 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
    2009-06-29 23:08 . 2009-06-08 23:05 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
    2009-06-29 23:08 . 2009-06-08 23:05 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
    2009-06-29 23:08 . 2009-06-22 23:07 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
    2009-06-29 23:08 . 2009-06-08 23:05 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
    2009-06-29 23:08 . 2009-06-22 23:07 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
    2009-06-29 23:08 . 2009-06-22 23:07 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
    2009-06-29 23:08 . 2009-06-22 23:07 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
    2009-06-29 23:07 . 2009-06-22 23:06 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
    2009-06-29 23:07 . 2009-06-22 23:06 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
    2009-06-29 23:07 . 2009-06-22 23:06 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
    2009-06-29 16:12 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
    2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
    2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
    2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
    2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
    2009-06-08 23:05 . 2009-06-08 23:05 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
    2009-06-08 23:05 . 2009-04-14 19:16 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2006-10-01 02:44 . 2006-07-31 01:50 88 --sh--r- c:\windows\system32\024D3846D7.sys
    2007-08-13 20:30 . 2006-09-21 20:45 56 -csh--r- c:\windows\system32\D746384D02.sys
    2007-08-13 20:31 . 2006-07-31 01:50 6372 -csha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
    "DellSupport "= "c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "Aim6 "= "c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
    "ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
    "ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
    "IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
    "IntelliPoint "= "c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-12 115560]
    "QuickTime Task "= "c:\program files\QuickTime Alternative\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-4 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Mandy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=c:\documents and settings\Mandy\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe "=
    "c:\\Program Files\\AIM6\\aim6.exe "=
    "c:\\Program Files\\AIM6\\aolsoftware.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest "= 1 (0x1)

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/6/2009 7:04 PM 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/7/2009 11:33 PM 24652]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 10:25 PM 102448]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/20/2008 11:28 AM 23888]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:08]

    2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-Symantec Antvirus


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.freeze.com/?AcquisitionID=2fa3db99-5388-42d6-8831-8462104dad83&s=&ipc=
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
    uInternet Settings,ProxyServer = http=localhost:7171
    uInternet Settings,ProxyOverride = *.local;<local>
    DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} - hxxps://register.resnet.stonybrook.edu/CAT/CNICAT.cab
    DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://pdc.resnet.stonybrook.edu/sav/webinst.cab
    FF - ProfilePath - c:\documents and settings\Mandy\Application Data\Mozilla\Firefox\Profiles\1f5usaed.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-veoh&p=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-veoh&p=
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: XUL Cache: {B6E0B4E9-2C14-4B46-BB88-124E22F7BC5A} - c:\documents and settings\Mandy\Local Settings\Application Data\{B6E0B4E9-2C14-4B46-BB88-124E22F7BC5A}
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    FF - user.js: general.useragent.extra.zencast - .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-03 21:32
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(668)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2009-09-04 21:42
    ComboFix-quarantined-files.txt 2009-09-04 01:42

    Pre-Run: 48,246,841,344 bytes free
    Post-Run: 48,253,374,464 bytes free

    240 --- E O F --- 2009-08-26 22:09
     
  5. 2009/09/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Combofix reports:

    I'm attaching both files (zipped). Unzip them, and paste both files into your c:\windows\system32 folder before you run Combofix script listed below.

    =======================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\024D3846D7.sys
    c:\windows\system32\D746384D02.sys
    
    
    Folder::
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     

    Attached Files:

  6. 2009/09/04
    imandy

    imandy Inactive Thread Starter

    Joined:
    2008/08/18
    Messages:
    48
    Likes Received:
    0
    ComboFix 09-09-01.04 - Mandy 09/04/2009 16:21.8.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.550 [GMT -4:00]
    Running from: c:\documents and settings\Mandy\Desktop\s45r34tws.exe
    Command switches used :: c:\documents and settings\Mandy\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    * Created a new restore point

    FILE ::
    "c:\windows\system32\024D3846D7.sys "
    "c:\windows\system32\D746384D02.sys "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\024D3846D7.sys
    c:\windows\system32\D746384D02.sys

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
    .

    2009-09-04 20:06 . 2009-09-04 20:06 -------- d-----w- c:\windows\LastGood
    2009-09-04 20:06 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2009-09-04 20:06 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2009-09-04 20:06 . 2008-04-14 09:42 39424 ----a-w- c:\windows\system32\grpconv.exe
    2009-09-04 20:06 . 2008-04-14 09:42 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
    2009-09-02 22:59 . 2009-09-02 23:22 -------- d-----w- c:\program files\Wolfienetsetup
    2009-09-01 02:12 . 2009-09-01 02:27 -------- d-----w- c:\documents and settings\Mandy\DoctorWeb
    2009-08-31 00:40 . 2009-08-31 00:40 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-08-30 21:40 . 2009-08-30 21:49 117760 ----a-w- c:\documents and settings\Mandy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-08-30 21:39 . 2009-08-30 21:39 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-08-30 21:37 . 2009-08-30 21:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-08-25 00:37 . 2009-08-25 00:37 152576 ----a-w- c:\documents and settings\Mandy\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
    2009-08-11 21:03 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
    2009-08-06 01:05 . 2009-08-06 01:05 -------- d-----w- c:\program files\iPod
    2009-08-06 01:04 . 2009-08-06 01:05 -------- d-----w- c:\program files\iTunes
    2009-08-06 00:10 . 2009-08-06 00:10 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-31 00:41 . 2008-08-18 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-30 21:39 . 2008-08-18 03:35 -------- d-----w- c:\documents and settings\Mandy\Application Data\SUPERAntiSpyware.com
    2009-08-28 14:41 . 2009-06-05 01:55 -------- d-----w- c:\program files\Maxis
    2009-08-26 18:28 . 2007-03-14 10:03 -------- d-----w- c:\documents and settings\Mandy\Application Data\Apple Computer
    2009-08-25 00:44 . 2006-05-04 10:33 -------- d-----w- c:\program files\Java
    2009-08-06 01:05 . 2007-11-24 16:04 -------- d-----w- c:\program files\Common Files\Apple
    2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-03 17:36 . 2008-08-18 18:03 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 17:36 . 2008-08-18 18:03 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-03 03:45 . 2006-08-29 00:54 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2009-08-03 03:44 . 2006-08-29 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2009-07-25 09:23 . 2009-02-28 19:36 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-14 22:42 . 2008-04-03 08:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-13 23:11 . 2009-06-22 23:09 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
    2009-07-13 23:11 . 2009-06-22 23:08 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
    2009-07-13 23:11 . 2009-06-22 23:07 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
    2009-06-29 23:08 . 2009-06-22 23:09 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
    2009-06-29 23:08 . 2009-06-22 23:09 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
    2009-06-29 23:08 . 2009-06-22 23:08 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
    2009-06-29 23:08 . 2009-06-22 23:08 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
    2009-06-29 23:08 . 2009-06-08 23:05 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
    2009-06-29 23:08 . 2009-06-08 23:05 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
    2009-06-29 23:08 . 2009-06-22 23:07 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
    2009-06-29 23:08 . 2009-06-08 23:05 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
    2009-06-29 23:08 . 2009-06-22 23:07 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
    2009-06-29 23:08 . 2009-06-22 23:07 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
    2009-06-29 23:08 . 2009-06-22 23:07 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
    2009-06-29 23:07 . 2009-06-22 23:06 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
    2009-06-29 23:07 . 2009-06-22 23:06 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
    2009-06-29 23:07 . 2009-06-22 23:06 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
    2009-06-29 16:12 . 2004-08-10 17:51 827392 ------w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
    2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
    2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
    2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
    2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
    2009-06-08 23:05 . 2009-06-08 23:05 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
    2009-06-08 23:05 . 2009-04-14 19:16 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2007-08-13 20:31 . 2006-07-31 01:50 6372 -csha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-09-04_01.32.55 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-09-04 20:06 . 2007-10-31 02:32 50176 c:\windows\LastGood\system32\proquota.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
    "DellSupport "= "c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "Aim6 "= "c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
    "ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
    "ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
    "IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
    "IntelliPoint "= "c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-12 115560]
    "QuickTime Task "= "c:\program files\QuickTime Alternative\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-4 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Mandy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=c:\documents and settings\Mandy\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe "=
    "c:\\Program Files\\AIM6\\aim6.exe "=
    "c:\\Program Files\\AIM6\\aolsoftware.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest "= 1 (0x1)

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/6/2009 7:04 PM 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/7/2009 11:33 PM 24652]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 10:25 PM 102448]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/20/2008 11:28 AM 23888]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:08]

    2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.freeze.com/?AcquisitionID=2fa3db99-5388-42d6-8831-8462104dad83&s=&ipc=
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
    uInternet Settings,ProxyServer = http=localhost:7171
    uInternet Settings,ProxyOverride = *.local;<local>
    DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} - hxxps://register.resnet.stonybrook.edu/CAT/CNICAT.cab
    DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://pdc.resnet.stonybrook.edu/sav/webinst.cab
    FF - ProfilePath - c:\documents and settings\Mandy\Application Data\Mozilla\Firefox\Profiles\1f5usaed.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-veoh&p=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-veoh&p=
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: XUL Cache: {B6E0B4E9-2C14-4B46-BB88-124E22F7BC5A} - c:\documents and settings\Mandy\Local Settings\Application Data\{B6E0B4E9-2C14-4B46-BB88-124E22F7BC5A}
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    FF - user.js: general.useragent.extra.zencast - .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-04 16:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(668)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2009-09-04 16:48
    ComboFix-quarantined-files.txt 2009-09-04 20:48
    ComboFix2.txt 2009-09-04 01:43

    Pre-Run: 48,295,448,576 bytes free
    Post-Run: 48,234,713,088 bytes free

    247 --- E O F --- 2009-08-26 22:09




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:03:34 PM, on 9/4/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com/?AcquisitionID=2fa3db99-5388-42d6-8831-8462104dad83&s=&ipc=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe "
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://register.resnet.stonybrook.edu/CAT/CNICAT.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://pdc.resnet.stonybrook.edu/sav/webinst.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 9661 bytes
     
  7. 2009/09/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)

    Uninstall Combofix:
    Go Start > Run
    Type in:
    combofix /u
    Note the space between the "combofix" and the "/u "
    Restart computer.

    ================================================================

    Go to Add\Remove and uninstall:
    - Java 2 Runtime Environment, SE v1.4.2_03
    - Java(TM) 6 Update 7

    ================================================================

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ( "drive-by-install ") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

    ==============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com/?AcquisitionID=...4dad83&s=&ipc= (avoid sites like this one; more info: http://www.mywot.com/en/scorecard/my.freeze.com)
    - R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    - R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    - O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    - O4 - Global Startup: Digital Line Detect.lnk = ?


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    - O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    - O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    - O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    - O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    - O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe "
    - O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    - O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    - O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    - O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    - O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    - O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll



    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
  8. 2009/09/05
    imandy

    imandy Inactive Thread Starter

    Joined:
    2008/08/18
    Messages:
    48
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:22:10 PM, on 9/5/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://register.resnet.stonybrook.edu/CAT/CNICAT.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://pdc.resnet.stonybrook.edu/sav/webinst.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 6881 bytes
     
  9. 2009/09/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
  10. 2009/09/06
    imandy

    imandy Inactive Thread Starter

    Joined:
    2008/08/18
    Messages:
    48
    Likes Received:
    0
    thank you so much :)

    i changed all the passwords to the websites i can remember. im going to defrag my laptop now.

    thank you soo much again.
     
  11. 2009/09/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
    Happy surfing :)
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.