Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Infected Machine

Options
  • 25-08-2009 10:15am
    #1
    [Deleted User]
    Posts: 0


    Hi,

    I wonder if someone would be so kind to look at these logs.
    It's my brothers PC and The machine was infected badly.

    I used malwarebytes and the instructions from the sticky, though it is still infected and it wont connect to any off the security sites or microsoft for updates.

    Many thanks in advance.

    James


    Hijack this

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:04:34, on 25/08/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\sySTEM32\SvchoSt.ExE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\O2\O2 Broadband USB Modem\O2 Broadband\O2 Broadband.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A71F39A5-3113-4E72-919B-DDB5BD2D4636}: NameServer = 62.40.32.33 62.40.32.34
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: cru629.dat
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    --
    End of file - 4979 bytes


    Rooter

    Rooter.exe (v1.0.2) by Eric_71
    .
    SeDebugPrivilege granted successfully ...
    .
    Windows XP Home Edition (5.1.2600) Service Pack 3
    [32_bits] - x86 Family 15 Model 4 Stepping 1, GenuineIntel
    .
    [wscsvc] (Security Center) RUNNING (state:4)
    [SharedAccess] RUNNING (state:4)
    Windows Firewall -> Disabled !
    .
    Internet Explorer 6.0.2900.5512
    Mozilla Firefox 3.5.2 (en-GB)
    .
    C:\ [Fixed-NTFS] .. ( Total:149 Go - Free:141 Go )
    D:\ [CD_Rom]
    E:\ [CD_Rom]
    F:\ [Removable]
    .
    Scan : 10:06.36
    Path : C:\Documents and Settings\Mary Carroll\Desktop\Rooter.exe
    User : Mary Carroll ( Administrator -> YES )
    .
    \\ Processes
    .
    Locked [System Process] (0)
    ______ System (4)
    ______ \SystemRoot\System32\smss.exe (516)
    ______ \??\C:\WINDOWS\system32\csrss.exe (608)
    ______ \??\C:\WINDOWS\system32\winlogon.exe (632)
    ______ C:\WINDOWS\system32\services.exe (676)
    ______ C:\WINDOWS\system32\lsass.exe (688)
    ______ C:\WINDOWS\system32\svchost.exe (832)
    ______ C:\WINDOWS\system32\svchost.exe (912)
    ______ C:\Program Files\Windows Defender\MsMpEng.exe (948)
    ______ C:\WINDOWS\System32\svchost.exe (992)
    ______ C:\WINDOWS\system32\svchost.exe (1060)
    ______ C:\WINDOWS\system32\svchost.exe (1156)
    ______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (1216)
    ______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (1304)
    ______ C:\WINDOWS\system32\brss01a.exe (1524)
    ______ C:\WINDOWS\system32\spoolsv.exe (1532)
    ______ C:\WINDOWS\sySTEM32\SvchoSt.ExE (1632)
    ______ C:\WINDOWS\system32\svchost.exe (1692)
    ______ C:\WINDOWS\system32\wdfmgr.exe (1720)
    ______ C:\WINDOWS\Explorer.EXE (400)
    ______ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (464)
    ______ C:\WINDOWS\system32\VTTimer.exe (472)
    ______ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (488)
    ______ C:\Program Files\Windows Defender\MSASCui.exe (496)
    ______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (504)
    ______ C:\WINDOWS\system32\ctfmon.exe (356)
    ______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (536)
    ______ C:\Program Files\Messenger\msmsgs.exe (572)
    ______ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (604)
    ______ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (2184)
    ______ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (2212)
    ______ C:\WINDOWS\System32\alg.exe (2512)
    ______ C:\Program Files\O2\O2 Broadband USB Modem\O2 Broadband\O2 Broadband.exe (3396)
    ______ C:\WINDOWS\system32\wuauclt.exe (3780)
    ______ C:\Program Files\Mozilla Firefox\firefox.exe (564)
    ______ C:\WINDOWS\system32\wscntfy.exe (3160)
    ______ C:\Documents and Settings\Mary Carroll\Desktop\Rooter.exe (904)
    .
    \\ Device\Harddisk0\
    .
    \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
    .
    \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:160031015424)
    .
    \\ Scheduled Tasks
    .
    C:\WINDOWS\Tasks\desktop.ini
    C:\WINDOWS\Tasks\MP Scheduled Scan.job
    C:\WINDOWS\Tasks\SA.DAT
    .
    \\ Registry
    .
    .
    \\ Files & Folders
    .
    \\ Scan completed at 10:06.38
    .
    C:\Rooter$\Rooter_1.txt - (25/08/2009 | 10:06.38)


Comments

  • Options
    #2
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    hi

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
    1. If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".
    2. During the download, rename Combofix to Combo-Fix as follows:

      CF_download_FF.gif

      CF_download_rename.gif

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    7. Double click on combo-Fix.exe & follow the prompts.
    8. When finished, it will produce a report for you.
    9. Please post the "C:\Combo-Fix.txt" for further review.
    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


  • Options
    #3
    [Deleted User]
    Posts: 0 [Deleted User]


    Thank you so much ASJ and sorry for the delay, just in the door.
    I have run that prog and the log details are as follows;

    ComboFix 09-08-24.06 - Mary Carroll 25/08/2009 19:29.2.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.478.129 [GMT 1:00]
    Running from: c:\documents and settings\Mary Carroll\Desktop\Combo-Fix.exe
    AV: avast! antivirus 4.8.1351 [VPS 090825-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run
    .
    c:\windows\010112010146120114.fx
    c:\windows\0101120101464949.fx
    c:\windows\0101120101464950.fx
    c:\windows\0101120101465449.fx
    c:\windows\0101120101465651.fx
    c:\windows\0101120101465653.fx
    c:\windows\4ff345dfbh521
    c:\windows\prxid93ps.dat
    c:\windows\th823567.dat

    c:\windows\system32\proquota.exe was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    \Legacy_BROWSERCTL
    \Legacy_BROWSERCTLDRV
    \Service_browserctldrv
    \Service_SfX
    \Service_SfX


    ((((((((((((((((((((((((( Files Created from 2009-07-25 to 2009-08-25 )))))))))))))))))))))))))))))))
    .

    2009-08-25 18:21 . 2008-04-14 04:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
    2009-08-25 18:21 . 2008-04-14 04:42 50176 ----a-w- c:\windows\system32\proquota.exe
    2009-08-25 09:06 . 2009-08-25 09:06
    d
    w- C:\Rooter$
    2009-08-25 08:56 . 2009-08-25 08:56
    d
    w- C:\rsit
    2009-08-25 08:51 . 2009-08-25 08:51
    d
    w- c:\program files\ERUNT
    2009-08-24 20:06 . 2009-08-25 08:56
    d
    w- c:\program files\Trend Micro
    2009-08-24 18:23 . 2009-08-25 08:06
    d
    w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-08-24 18:23 . 2009-08-24 20:07
    d
    w- c:\program files\Spybot - Search & Destroy
    2009-08-24 17:09 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2009-08-24 17:09 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2009-08-24 17:09 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2009-08-24 17:09 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2009-08-24 17:09 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2009-08-24 17:09 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2009-08-24 17:09 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2009-08-24 17:09 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2009-08-24 17:08 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
    2009-08-24 17:08 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
    2009-08-24 17:08 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
    2009-08-24 17:08 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
    2009-08-24 17:08 . 2009-08-24 17:08
    d
    w- c:\program files\Alwil Software
    2009-08-24 16:05 . 2009-08-24 16:05
    d
    w- c:\program files\Windows Defender
    2009-08-24 16:00 . 2009-08-24 16:00 0 ----a-w- c:\windows\nsreg.dat
    2009-08-24 16:00 . 2009-08-24 16:00
    d
    w- c:\documents and settings\Mary Carroll\Local Settings\Application Data\Mozilla
    2009-08-24 15:56 . 2009-08-24 15:57
    d
    w- c:\program files\CCleaner
    2009-08-24 15:25 . 2009-08-24 15:25
    d
    w- c:\documents and settings\Mary Carroll\Application Data\MSNInstaller
    2009-08-24 15:03 . 2008-04-14 04:41 25471
    w- c:\windows\system32\drivers\atv04nt5.dll
    2009-08-24 14:56 . 2009-08-24 14:56
    d
    w- c:\windows\EHome
    2009-08-24 14:36 . 2008-03-17 10:56 103168 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
    2009-08-24 14:36 . 2008-03-17 10:03 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
    2009-08-24 14:36 . 2008-03-16 13:47 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys
    2009-08-24 14:36 . 2008-01-22 14:09 100992 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
    2009-08-24 14:36 . 2007-08-09 03:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
    2009-08-24 14:35 . 2009-08-24 14:35
    d
    w- c:\program files\O2
    2009-08-24 14:33 . 2009-08-24 15:22 117760 ----a-w- c:\documents and settings\Mary Carroll\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-08-24 14:33 . 2009-08-24 14:33
    d
    w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-08-24 14:33 . 2009-08-24 15:25
    d
    w- c:\program files\SUPERAntiSpyware
    2009-08-24 14:33 . 2009-08-24 14:33
    d
    w- c:\documents and settings\Mary Carroll\Application Data\SUPERAntiSpyware.com
    2009-08-24 09:22 . 2009-08-24 09:22
    d
    w- c:\documents and settings\Mary Carroll\Application Data\Malwarebytes
    2009-08-24 09:22 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-24 09:22 . 2009-08-24 09:22
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-24 09:22 . 2009-08-24 09:22
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-08-24 09:22 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-19 15:53 . 2009-08-19 15:53 38016 ----a-w- c:\windows\system32\drivers\DnsFilter.sys
    2009-08-19 15:53 . 2009-08-19 15:53
    d
    w- c:\program files\DDnsFilter
    2009-08-12 00:42 . 2009-08-12 00:42
    d
    w- c:\documents and settings\Mary Carroll\Local Settings\Application Data\Adobe
    2009-08-12 00:42 . 2009-08-12 00:42
    d
    w- c:\documents and settings\Mary Carroll\Application Data\AdobeUM
    2009-08-10 23:45 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2009-08-10 21:26 . 2009-08-10 21:26
    d
    w- c:\documents and settings\CeliaxXx\Local Settings\Application Data\Identities
    2009-08-04 14:56 . 2009-08-04 14:56
    d
    w- c:\windows\Sun
    2009-08-03 20:51 . 2009-08-03 20:51
    d
    w- c:\documents and settings\CeliaxXx\Application Data\AdobeUM
    2009-08-03 20:51 . 2009-08-03 20:51
    d
    w- c:\documents and settings\CeliaxXx\Local Settings\Application Data\Adobe
    2009-08-03 20:43 . 2009-08-03 20:43
    d
    w- c:\program files\Common Files\Adobe
    2009-07-30 21:32 . 2009-07-30 21:32
    d-s---w- c:\documents and settings\CeliaxXx\UserData
    2009-07-28 22:22 . 2009-08-20 09:29
    d
    w- c:\documents and settings\CeliaxXx\Application Data\MSNInstaller
    2009-07-26 19:09 . 2009-07-26 19:10
    d
    w- c:\documents and settings\Mary Carroll\Local Settings\Application Data\Google

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-24 16:04 . 2009-07-23 02:34 30304 ----a-w- c:\documents and settings\Mary Carroll\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-24 15:12 . 2009-07-23 00:43 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2009-08-17 22:03 . 2009-07-23 19:57
    d
    w- c:\documents and settings\CeliaxXx\Application Data\BullGuard
    2009-07-25 09:20 . 2009-07-24 21:01
    d
    w- c:\documents and settings\All Users\Application Data\NOS
    2009-07-25 09:20 . 2009-07-24 21:01
    d
    w- c:\program files\NOS
    2009-07-24 21:02 . 2009-07-24 21:02
    d
    w- c:\program files\Google
    2009-07-23 10:09 . 2009-07-23 10:09
    d
    w- c:\documents and settings\Mary Carroll\Application Data\Template
    2009-07-23 03:29 . 2009-07-23 03:29
    d
    w- c:\documents and settings\Mary Carroll\Application Data\CyberLink
    2009-07-23 03:29 . 2009-07-23 03:29
    d
    w- c:\documents and settings\All Users\Application Data\CyberLink
    2009-07-23 02:34 . 2009-07-23 02:34 0 ----a-w- c:\documents and settings\Mary Carroll\Application Data\wklnhst.dat
    2009-07-23 02:15 . 2009-07-23 02:13
    d
    w- c:\program files\Microsoft Works
    2009-07-23 02:11 . 2009-07-23 02:11
    d--h--w- c:\program files\InstallShield Installation Information
    2009-07-23 02:11 . 2009-07-23 02:11
    d
    w- c:\program files\CyberLink
    2009-07-23 02:11 . 2009-07-23 02:11
    d
    w- c:\program files\Common Files\InstallShield
    2009-07-23 02:10 . 2009-07-23 02:07
    d
    w- c:\program files\Common Files\Ahead
    2009-07-23 02:07 . 2009-07-23 02:07
    d
    w- c:\program files\Nero
    2009-07-23 01:36 . 2009-07-23 01:36 9388 ----a-w- c:\windows\system32\drivers\iaStor.PNF
    2009-07-23 01:36 . 2009-07-23 01:36 7280 ----a-w- c:\windows\system32\drivers\viamraid.PNF
    2009-07-23 01:36 . 2009-07-23 01:36 6984 ----a-w- c:\windows\system32\drivers\SiSRaid.PNF
    2009-07-23 01:36 . 2009-07-23 01:36 63240 ----a-w- c:\windows\system32\drivers\Si3112r.PNF
    2009-07-23 01:36 . 2009-07-23 01:36 20152 ----a-w- c:\windows\system32\drivers\INFCACHE.1
    2009-07-23 01:36 . 2009-07-23 01:36 12432 ----a-w- c:\windows\system32\drivers\adpu320.PNF
    2009-07-23 01:36 . 2009-07-23 01:36 12204 ----a-w- c:\windows\system32\drivers\nvraid.PNF
    2009-07-23 01:36 . 2009-07-23 01:36 10828 ----a-w- c:\windows\system32\drivers\iaAHCI.PNF
    2009-07-23 01:19 . 2009-07-23 01:19
    d
    w- c:\program files\CONEXANT
    2009-07-23 01:06 . 2009-07-23 01:06 2 ----a-w- C:\drvpnp.dat
    2009-07-23 01:04 . 2009-07-23 01:04 778 ----a-w- C:\tmpFile.dat
    2009-07-23 01:03 . 2009-07-23 01:03 698 ----a-w- C:\pnpID.dat
    2009-07-23 00:49 . 2009-07-23 00:49
    d
    w- c:\program files\microsoft frontpage
    2009-07-23 00:48 . 2009-07-23 00:48
    d
    w- c:\program files\Java
    2009-07-23 00:48 . 2009-07-23 00:48
    d
    w- c:\program files\Common Files\Java
    2009-07-23 00:41 . 2009-07-23 00:41 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-24 39408]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-07-27 1644784]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
    "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-07-15 57344]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Mary Carroll\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8085:TCP"= 8085:TCP:ddnsfilter

    R?2 ddnsfilter;ddnsfilter;c:\windows\sySTEM32\SvchoSt.ExE -k ddnsfilter [8/4/2004 1:00 PM 14336]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/24/2009 6:09 PM 114768]
    R1 DnsFilter;DnsFilter;c:\windows\system32\drivers\DnsFilter.sys [8/19/2009 4:53 PM 38016]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/24/2009 6:09 PM 20560]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    ddnsfilter REG_MULTI_SZ ddnsfilter
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-25 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://www.google.com
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    FF - ProfilePath - c:\documents and settings\Mary Carroll\Application Data\Mozilla\Firefox\Profiles\wrop93cr.default\
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-25 19:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(2812)
    c:\windows\system32\Audiodev.dll
    c:\windows\system32\WMVCore.DLL
    c:\windows\system32\WMASF.DLL
    .
    Other Running Processes
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\windows\system32\brss01a.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2009-08-25 19:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-08-25 18:37

    Pre-Run: 151,520,882,688 bytes free
    Post-Run: 151,495,680,000 bytes free

    268 --- E O F --- 2009-08-15 17:00


  • Options
    #4
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    hi

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.
    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
      [*]Click on My Computer under Scan.
      [*]Once the scan is complete, it will display the results. Click on View Scan Report.
      [*]You will see a list of infected items there. Click on Save Report As....
      [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    5. Options
      #5
      [Deleted User]
      Posts: 0 [Deleted User]


      Hi ASJ, & thanks again for your time.

      I have done those steps, though this machine is really bad.

      I had nno problem with the first step (temp cleaner), that went as planned.

      With malware bytes, I had this installed so I uninstalled it so I could follow your instructions through. It would not install any updates, the connectivity icon would appear and activity on my network also, though after a minute or so an error would appear.

      So obvioulsly these definations are not the newest and I went ahead and did the scan and nothing appeared afterwards.

      It would not also connect to the karpesky website.

      Any Ideas ASJ, and again thank you so much for your time and skills.


    6. Options
      #6
      ActorSeeksJob
      Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      hi

      Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


    7. Advertisement
    8. Options
      #7
      [Deleted User]
      Posts: 0 [Deleted User]


      WARNING: Could not get backup privileges!
      Searching 'C:\Windows' ......


    9. Options
      #8
      ActorSeeksJob
      Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      hi

      Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
      "%userprofile%\desktop\win32kdiag.exe" -f -r


    10. Options
      #9
      [Deleted User]
      Posts: 0 [Deleted User]


      Log file is located at: C:\Documents and Settings\Mary Carroll\Desktop\Win32kDiag.txt

      Removing all found mount points.

      Attempting to reset file permissions.

      WARNING: Could not get backup privileges!

      Searching 'C:\WINDOWS'...





      Finished!


    11. Options
      #10
      ActorSeeksJob
      Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      hi

      Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
      "%userprofile%\desktop\win32kdiag.exe" -f -r



      Download RootRepeal.zip or from here and unzip it to your Desktop.
      • Double click RootRepeal.exe to start the program
      • Click on the Report tab at the bottom of the program window
      • Click the Scan button
      • In the Select Scan dialog, check:

        • Drivers
        • Files
        • Processes
        • SSDT
        • Stealth Objects
        • Hidden Services
        [*]Click the OK button
        [*]In the next dialog, select all drives showing
        [*]Click OK to start the scan
        Note: The scan can take some time. DO NOT run any other programs while the scan is running
        [*]When the scan is complete, the Save Report button will become available
        [*]Click this and save the report to your Desktop as RootRepeal.txt
        If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

        To attach a file, do the following:
        • Click Add Reply
        • Under the reply panel is the Attachments Panel
        • Browse for the attachment file you want to upload, then click the green Upload button
        • Once it has uploaded, click the Manage Current Attachments drop down box
        • Click on attach_add.png to insert the attachment into your post


      • Options
        #11
        [Deleted User]
        Posts: 0 [Deleted User]


        Hi ASJ,

        I ran out off patience and as I type this I have DBAN doing it's thing on it.

        I will re-install XP and place proper security measures, and inform of some safe practices online.

        Ta again for your time.

        Regards

        James


      • Advertisement
      Advertisement