• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
mumbojumbo28

Possible virus, Websites blocked and a hijacked account

8 posts in this topic

So here's the story:

I was logged onto steam when a friend messaged me through steam's chat to watch a video. He also mentions to update the adobe flash on the website if the video doesnt play. I click the link he sends and it opens a website (which i now know really isnt) metacafe. The video doesnt play and it says to update adobe flash player where the video should be. I click the download link and download an exe named adobeflashplayer.exe. I run it, thinking it would update my flash, but nothing happens. Later, i notice that the exe has disappeared off my desktop where i had saved it. My steam suddenly closes, but i turn off my computer because i had to leave. When i return and turn on my computer i am prompted multiple times at startup to run or cancel svchost or crssv from system32\etc and system32\drivers. I run them to get rid of it so i can continue using the computer. I reboot my computer to see if it would prompt me again. It does. Suspicious, i log onto my steam account only to have it reject my password. I log onto my email only to see that my password and contact email for my steam account was changed a few minutes after i had to leave. I immediately run spybot but it catches nothing. I run ad-aware which detects the previously mentioned crssv.exe. I delete it. I later run hijackthis and see crssv listed. I remove it and reboot my computer to see if i get the run prompt again. I dont.

 

Here's the problem:

At this point i want to make sure my computer is fully clean before retrieving my account. I ran spybot, hijackthis and ad-aware as mentioned above. I later ran mbam after reading the faqs at the swi forums and caught 5 items. i deleted them and saved the logs. However, there is still one problem. Whenever i try to go to steam's support page through a link or by typing it into my url box, all my internet browsers are unable to connect to the page. I am also unable to connect to the general steampowered website if i type it directly into my url box. Now i am unable retrieve my account.

 

I am not quite sure what happened but i do know there are people who write programs in the underground steam community to steal accounts. I am not quite sure but i think this is how the program works. The victim downnloads and runs the executable. The executabe goes into the registry and gets the login for the steam account which is sent to a ftp server. However, when i ran the program, my Mcafee, which usually prompts me when a program wants to access the internet did not do anything or detect anything.

 

So at this point i want to make sure everything is clean and i want to fix the problem with my internet browser so i can retrieve my account.

 

Here is my hijackthislog after running mbam and after i had deleted crssv from it

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:37:04 PM, on 7/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\sttray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Mumbo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Mumbo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Documents and Settings\Mumbo\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Google Update Service (gupdate1c9e89a222decd4) (gupdate1c9e89a222decd4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe

O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 8306 bytes

 

 

Here is my MBAM log which caught 5 items

 

Malwarebytes' Anti-Malware 1.38

Database version: 2382

Windows 5.1.2600 Service Pack 2

 

7/6/2009 6:27:27 PM

mbam-log-2009-07-06 (18-27-27).txt

 

Scan type: Full Scan (C:\|E:\|G:\|J:\|)

Objects scanned: 384996

Time elapsed: 4 hour(s), 51 minute(s), 35 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{t5tbb77l-4678-0mkc-421q-14416031dyu6} (Password.Stealer) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

c:\documents and settings\Mumbo\local settings\temporary internet files\ijjistarter2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

 

I would like to thank the volunteers at SWI for helping out people like me.

Time is of the essence since my account could get irreversibly VAC banned if someone cheats with it. And the malicious person can use my account to try to trick my friends. However cleaning my computer is first priority.

 

 

EDIT 7/7 12:19 a.m: I think my hosts file was altered to block steam. I think this is the case since i can see advertisement banners that i havent seen before. i will reinstall the hosts file and report the result tomorrow

Edited by mumbojumbo28

Share this post


Link to post
Share on other sites

Hello Mumbo!

 

I'm afraid I have bad news.

 

Your logs reveal a password stealer.

 

I would counsel you to disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

 

You will need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

 

 

 

With that said, please do the following.

I highly recommend you to remove Viewpoint.

 

This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

Foistware may open the door for malware and is sometimes installed without the user's knowledge or permission. Viewpoint is known to be intrusive and there is some possibility that it is now being used by its owners to track your habits.

 

If you choose to follow my recommendation then please go to Start -> Control Panel, double-click on Add or Remove Programs

Search the list, and uninstall the following programs (if present) by clicking the Remove or Change/Remove button.

 


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Then please find and delete these folders (if present):

c:\program files\Viewpoint

c:\documents and settings\All Users\Application Data\Viewpoint

 

 

 

Please download ATF Cleaner. Save it to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.

If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

 

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

 

Please update Malwarebytes' Anti-Malware to the newest version and run it again.

 

 

 

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

Please include the C:\ComboFix.txt, MBAM log and the contents of checkup.txt in your next reply for further review.

 

 

Best regards

 

e-tech

Share this post


Link to post
Share on other sites

Thanks e-tech. I have removed viewpoint and ran atf cleaner afterwards. I believe my MBAM is up to date with version 1.38. I also made sure my virus definition was up to date before scanning.

Here is my security check log:

Results of screen317's Security Check version 0.98.4

Windows XP Service Pack 2

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

``````````````````````````````

Windows Firewall Disabled!

McAfeeSecurityCenter

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

``````````````````````````````

Ad-Aware

MVPS Hosts File

Spybot - Search & Destroy

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe

Spybot SDHelper is disabled!

McAfee VirusScan McShield.exe

McAfee VIRUSS~1 mcsysmon.exe

``````````````````````````````

DNS Vulnerability Check:

``````````````````````````````

GREAT! (Very random)

 

Scan took 93579 seconds.

`````````End of Log```````````

 

 

Here is my ComboFix log:

ComboFix 09-07-08.02 - Mumbo 07/08/2009 13:32.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1542 [GMT -7:00]

Running from: c:\documents and settings\Mumbo\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Mumbo\Application Data\inst.exe

c:\documents and settings\Mumbo\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

c:\windows\Downloaded Program Files\ijjiPreNotify2.exe

c:\windows\Installer\90da4.msi

c:\windows\Installer\d94ccc.msi

c:\windows\system32\abedcafea8_z.dll

c:\windows\WINDOWS

c:\windows\WINDOWS\Installer\90da4.msi

H:\autorun.inf

 

.

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))

.

 

2009-07-06 20:32 . 2009-07-06 20:32 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Malwarebytes

2009-07-06 20:32 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-06 20:32 . 2009-07-07 01:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-06 20:32 . 2009-07-06 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-06 20:32 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-06 07:27 . 2009-07-06 07:12 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-07-06 07:12 . 2009-07-06 07:11 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-07-06 07:12 . 2009-07-06 07:12 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2009-07-06 07:12 . 2009-07-06 07:12 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2009-07-06 07:12 . 2009-07-06 07:12 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2009-07-06 07:12 . 2009-07-06 07:12 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-07-06 07:12 . 2009-07-06 07:12 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2009-07-06 07:12 . 2009-07-06 07:12 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2009-07-06 07:12 . 2009-07-06 07:12 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2009-07-06 07:11 . 2009-07-06 07:11 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2009-07-06 07:11 . 2009-07-06 07:11 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2009-07-06 07:11 . 2009-07-06 07:11 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-07-06 07:11 . 2009-07-06 07:11 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2009-07-06 07:11 . 2009-07-06 07:11 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe

2009-07-06 07:11 . 2009-07-06 07:11 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2009-07-06 07:11 . 2009-07-06 07:11 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2009-07-06 07:11 . 2009-07-06 07:11 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2009-07-06 07:11 . 2009-07-06 07:11 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2009-07-06 07:11 . 2009-07-06 07:11 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe

2009-07-06 07:11 . 2009-07-06 07:11 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2009-07-06 07:11 . 2009-07-06 07:11 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2009-07-06 07:04 . 2009-07-06 07:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-07-06 07:04 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

2009-07-06 07:03 . 2009-07-06 07:03 -------- d-----w- c:\program files\Lavasoft

2009-07-06 02:13 . 2009-07-06 06:32 -------- d-sh--r- c:\windows\system32\etc

2009-07-05 02:01 . 2009-07-05 02:01 -------- d-----w- c:\documents and settings\Mumbo\Local Settings\Application Data\CAPCOM

2009-06-25 05:31 . 2009-06-25 05:31 -------- d-----w- c:\program files\PFPortChecker

2009-06-24 00:46 . 2009-06-24 00:52 -------- d-----w- c:\documents and settings\Mumbo\Application Data\ImgBurn

2009-06-24 00:29 . 2009-06-24 00:29 -------- d-----w- c:\program files\ImgBurn

2009-06-19 23:29 . 2009-06-19 23:29 -------- d-----w- c:\documents and settings\Mumbo\Local Settings\Application Data\GHOSTBUSTERS

2009-06-09 20:14 . 2009-06-09 20:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2009-06-09 00:35 . 2009-06-09 00:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-08 07:40 . 2007-11-25 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-07 07:37 . 2007-11-27 18:11 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Azureus

2009-07-06 07:03 . 2007-11-25 16:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-06 06:57 . 2007-11-25 11:46 -------- d-----w- c:\program files\Steam

2009-07-06 06:29 . 2009-07-06 06:29 892 ----a-w- c:\documents and settings\Mumbo\Application Data\368328.tmp

2009-07-06 02:17 . 2009-07-06 02:17 804 ----a-w- c:\documents and settings\Mumbo\Application Data\25712187.tmp

2009-07-05 22:02 . 2007-11-25 01:33 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-25 06:42 . 2007-11-27 18:10 -------- d-----w- c:\program files\Azureus

2009-06-23 05:23 . 2008-11-02 09:08 -------- d-----w- c:\documents and settings\Mumbo\Application Data\FileZilla

2009-06-19 23:21 . 2008-05-27 00:39 -------- d-----w- c:\program files\Atari

2009-06-16 20:35 . 2007-11-25 17:35 -------- d-----w- c:\program files\AIM6

2009-05-17 20:44 . 2008-06-28 19:26 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Vso

2009-05-10 00:29 . 2008-05-17 22:12 -------- d-----w- c:\program files\The Seal Hunter

2009-05-04 00:34 . 2009-05-01 00:12 98304 ----a-w- c:\documents and settings\Mumbo\Application Data\Soldat\Battleye\BEClient.dll

2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll

2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll

2006-05-03 09:06 . 2008-01-10 04:30 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2008-01-10 04:30 31232 --sh--r- c:\windows\system32\msfDX.dll

2005-04-09 11:12 . 2009-07-06 06:32 209058 --sha-r- c:\windows\system32\etc\crssv.exe

2006-02-26 23:47 . 2009-07-06 06:32 293376 --sha-r- c:\windows\system32\etc\plugin.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-25 68856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-2 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-24 805392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]

path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK

backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]

path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk

backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^RollerCoaster Tycoon 3_ Wild Registration.lnk]

path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\RollerCoaster Tycoon 3_ Wild Registration.lnk

backup=c:\windows\pss\RollerCoaster Tycoon 3_ Wild Registration.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"j:\\Games\\Call of Duty - World At War\\CoDWaWmp.exe"=

"j:\\Games\\Call of Duty - World At War\\CoDWaW.exe"=

"j:\\Games\\FlatOut UC\\FlatOut Ultimate Carnage\\Fouc.exe"=

"j:\\Games\\pop\\Prince of Persia.exe"=

"j:\\Games\\pop\\PrinceOfPersia_Launcher.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"j:\\Games\\Mirrors Edge\\Binaries\\MirrorsEdge.exe"=

"j:\\Games\\bionic commando rearmed\\bcr.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=

"j:\\Games\\Burnout Paradise\\BurnoutLauncher.exe"=

"j:\\Games\\Burnout Paradise\\BurnoutConfigTool.exe"=

"j:\\Games\\Burnout Paradise\\BurnoutParadise.exe"=

"j:\\Games\\EndWar\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"=

"j:\\Games\\EndWar\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"j:\\Games\\Tom Clancy's H.A.W.X\\HAWX.exe"=

"j:\\Games\\Tom Clancy's H.A.W.X\\HAWX_dx10.exe"=

"j:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=

"j:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=

"j:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=

"j:\\Games\\Prototype\\prototypef.exe"=

"j:\\Games\\Street Fighter IV\\StreetFighterIV.exe"=

"j:\\Games\\Overlord II\\Overlord2.exe"=

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/6/2009 12:12 AM 64160]

R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/9/2008 2:49 PM 693512]

R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 5:33 PM 13952]

R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 5:32 PM 28800]

S2 gupdate1c9e89a222decd4;Google Update Service (gupdate1c9e89a222decd4);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2009 5:35 PM 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]

S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/9/2008 2:49 PM 906504]

S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [3/18/2008 8:12 PM 3567]

S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 5:37 AM 26624]

S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows\system32\drivers\TiglUsb.sys [3/18/2008 8:12 PM 17024]

S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [11/19/2008 10:38 PM 23480]

.

Contents of the 'Scheduled Tasks' folder

 

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:11]

 

2009-07-08 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-25 23:37]

 

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 00:34]

 

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 00:34]

 

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-179605362-839522115-1003Core.job

- c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 07:46]

 

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-179605362-839522115-1003UA.job

- c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 07:46]

 

2009-06-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-25 21:32]

 

2009-05-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-25 21:32]

.

- - - - ORPHANS REMOVED - - - -

 

Notify-AtiExtEvent - (no file)

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Mumbo\Application Data\Mozilla\Firefox\Profiles\28zti0wj.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - plugin: c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

 

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-08 13:37

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A1DCD957-4110-98C2-E7AD-23ACB1CB1977}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oaiemhdhlaljligefagnjloomlbpip"=hex:64,61,64,64,61,68,70,69,00,e0

"oamleeknenelmoilfodmjcdamacfac"=hex:6a,61,69,63,6d,66,61,6d,61,66,6f,66,68,68,

70,69,62,70,67,66,00,fd

"naclnkaomciokhekkpjfjfglpocc"=hex:6a,61,69,63,6d,66,61,6d,61,66,6f,66,68,68,

70,69,62,70,67,66,00,fd

 

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:91,1b,75,08,3f,87,c2,e3,e8,a5,69,94,62,c9,96,a8,15,39,59,f5,b5,ac,f3,

72,03,46,f1,ec,b0,53,00,71,8b,fa,79,6a,99,da,a1,d4,96,72,c7,1f,42,92,fd,af,\

"??"=hex:cd,83,43,89,95,88,5a,13,cd,a4,fd,85,a2,db,70,25

 

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:57,5a,e4,0e,24,7e,11,c6,c6,a6,8a,18,ea,7a,4d,c0,83,3c,58,f9,00,

1a,5a,4c,39,aa,b9,20,77,77,62,0f,3a,4d,b0,db,39,88,9c,76,90,bc,e8,c2,37,68,\

"rkeysecu"=hex:9f,ec,e7,86,66,3c,4b,9e,90,a7,8f,84,0a,f8,a0,80

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(900)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

 

- - - - - - - > 'lsass.exe'(956)

c:\windows\system32\relog_ap.dll

.

Completion time: 2009-07-08 13:41

ComboFix-quarantined-files.txt 2009-07-08 20:41

 

Pre-Run: 578,478,080 bytes free

Post-Run: 585,953,280 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

281

 

 

 

 

I believe the directory which was recently created c:\windows\system32\etc is associated with the malicious program i ran since that is the directory that showed up when i was prompted previously on start up to run svchost. I am no longer prompted to run anything on start up.

 

Also, after running combofix, internet explorer appears on my desktop. Google chrome, which i normally use, was no longer my default browser.

 

Finally, i am able to connect to the steam support website when i manually replaced my hosts file.

For some reason, my mcafee which is always active did not alert me when the malicious program connected to the internet ( i think that's what it does). It also did not alert me when my hosts file was changed by the malicious program. It did however alert me when i manually replaced it.

 

Thank you e-tech for your help. I am one step closer to having confidence in the safety of my computer.

 

One more thing, as you may have noticed, i install my video games to another hard drive. Is this safe as it is located on a hard drive separate from my C drive and my os?

 

EDIT: Steam account retrieved. However, i wont log in until i am sure my pc is clean.

Edited by mumbojumbo28

Share this post


Link to post
Share on other sites

Hello mumbojumbo28

 

I believe the directory which was recently created c:\windows\system32\etc is associated with the malicious program i ran since that is the directory that showed up when i was prompted previously on start up to run svchost.

Could be. Folder etc is normally placed in C:\WINDOWS\system32\drivers\. We'll take a look.

 

Google chrome, which i normally use, was no longer my default browser.

Yes. Wait until you get clean, then you can add it again as your default browser.

 

One more thing, as you may have noticed, i install my video games to another hard drive. Is this safe as it is located on a hard drive separate from my C drive and my os?

Yes, no problem.

 

I have noticed that you have 2 antispyware programs installed on your computer.

These are:


  • Spybot - Search & Destroy
  • Ad-Aware

:alarm:Warning!

Running more than one resident protection program of the same type (antivirus, firewall or antispyware program) at the same time can result in unwanted conflict.

This can reduce the effectiveness of all your antispyware programs individually.

If you want to keep all your antispyware programs then please make sure they are not in resident mode at the same time.

 

 

 

Please set WinXP to show hidden/system files and folders so that you can find them to delete.

 

Please click Start and open My Computer.

On the Tools menu, click on Folder Options.

On the View tab, uncheck "Hide file extensions for known file types".

Uncheck "Hide protected operating system files (Recommended)" and click Yes on the warning message. Under "Hidden files and folders", check "Show hidden files and folders".

Click Apply to All Folders.

Click OK and close My Computer.

 

 

 

Please go to VirusTotal, and upload the following files for analysis:

c:\documents and settings\Mumbo\Application Data\368328.tmp

c:\documents and settings\Mumbo\Application Data\25712187.tmp

c:\windows\system32\etc\crssv.exe

c:\windows\system32\etc\plugin.dat

Post the VirusTotal results in your reply.

 

 

Please

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

3. Open Notepad and copy/paste the text in the quotebox below into it:

 

KILLALL::

DirLook::

c:\windows\system32\etc

FileLook::

c:\documents and settings\Mumbo\Application Data\368328.tmp

c:\documents and settings\Mumbo\Application Data\25712187.tmp

c:\windows\system32\etc\crssv.exe

c:\windows\system32\etc\plugin.dat

RegNull::

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A1DCD957-4110-98C2-E7AD-23ACB1CB1977}*]

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply along with the VirusTotal results.

 

 

Best regards

 

e-tech

Share this post


Link to post
Share on other sites

Here are my virus total results. I also found the file logs.dat in the etc folder, which i uploaded with no results. I dont know if the file information may be helpful.

 

File 368328.tmp received on 2009.07.09 21:34:17 (UTC)

Antivirus;Version;Last Update;Result

a-squared;4.5.0.18;2009.07.09;-

AhnLab-V3;5.0.0.2;2009.07.09;-

AntiVir;7.9.0.204;2009.07.09;-

Antiy-AVL;2.0.3.1;2009.07.09;-

Authentium;5.1.2.4;2009.07.09;-

Avast;4.8.1335.0;2009.07.09;-

AVG;8.5.0.387;2009.07.09;-

BitDefender;7.2;2009.07.09;-

CAT-QuickHeal;10.00;2009.07.09;-

ClamAV;0.94.1;2009.07.09;-

Comodo;1596;2009.07.09;-

DrWeb;5.0.0.12182;2009.07.09;-

eSafe;7.0.17.0;2009.07.09;-

eTrust-Vet;31.6.6606;2009.07.09;-

F-Prot;4.4.4.56;2009.07.09;-

F-Secure;8.0.14470.0;2009.07.09;-

Fortinet;3.117.0.0;2009.07.03;-

GData;19;2009.07.09;-

Ikarus;T3.1.1.64.0;2009.07.09;-

Jiangmin;11.0.706;2009.07.09;-

K7AntiVirus;7.10.788;2009.07.09;-

Kaspersky;7.0.0.125;2009.07.09;-

McAfee;5671;2009.07.09;-

McAfee+Artemis;5671;2009.07.09;-

McAfee-GW-Edition;6.8.5;2009.07.09;-

Microsoft;1.4803;2009.07.09;-

NOD32;4229;2009.07.09;-

Norman;6.01.09;2009.07.09;-

nProtect;2009.1.8.0;2009.07.09;-

Panda;10.0.0.14;2009.07.09;-

PCTools;4.4.2.0;2009.07.09;-

Prevx;3.0;2009.07.09;-

Rising;21.37.34.00;2009.07.09;-

Sophos;4.43.0;2009.07.09;-

Sunbelt;3.2.1858.2;2009.07.09;-

Symantec;1.4.4.12;2009.07.09;-

TheHacker;6.3.4.3.363;2009.07.08;-

TrendMicro;8.950.0.1094;2009.07.09;-

VBA32;3.12.10.7;2009.07.09;-

ViRobot;2009.7.10.1827;2009.07.09;-

VirusBuster;4.6.5.0;2009.07.09;-

 

Additional information

File size: 892 bytes

MD5   : 1cff2dc4b504a38b53ec4715fa8de24b

SHA1  : a318225dacf8a8c9e9c4ae89a02669509f255bfb

SHA256: 7b1a79e4975c66d7fc9f7baf0b4600db17fa57ff09ef5055926c0803398a7a7b

ssdeep: 24:QbDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTOyoi6ozq:ODZhyoZWM9rU5fFcnyoi6ozq

PEiD  : -

RDS   : NSRL Reference Data Set<br>-

 

 

File 25712187.tmp received on 2009.07.09 22:16:30 (UTC)

Antivirus;Version;Last Update;Result

a-squared;4.5.0.18;2009.07.09;-

AhnLab-V3;5.0.0.2;2009.07.09;-

AntiVir;7.9.0.204;2009.07.09;-

Antiy-AVL;2.0.3.1;2009.07.09;-

Authentium;5.1.2.4;2009.07.09;-

Avast;4.8.1335.0;2009.07.09;-

AVG;8.5.0.387;2009.07.09;-

BitDefender;7.2;2009.07.09;-

CAT-QuickHeal;10.00;2009.07.09;-

ClamAV;0.94.1;2009.07.09;-

Comodo;1596;2009.07.09;-

DrWeb;5.0.0.12182;2009.07.09;-

eSafe;7.0.17.0;2009.07.09;-

eTrust-Vet;31.6.6606;2009.07.09;-

F-Prot;4.4.4.56;2009.07.09;-

F-Secure;8.0.14470.0;2009.07.09;-

Fortinet;3.117.0.0;2009.07.03;-

GData;19;2009.07.09;-

Ikarus;T3.1.1.64.0;2009.07.09;-

Jiangmin;11.0.706;2009.07.09;-

K7AntiVirus;7.10.788;2009.07.09;-

Kaspersky;7.0.0.125;2009.07.09;-

McAfee;5671;2009.07.09;-

McAfee+Artemis;5671;2009.07.09;-

McAfee-GW-Edition;6.8.5;2009.07.09;-

Microsoft;1.4803;2009.07.09;-

NOD32;4229;2009.07.09;-

Norman;6.01.09;2009.07.09;-

nProtect;2009.1.8.0;2009.07.09;-

Panda;10.0.0.14;2009.07.09;-

PCTools;4.4.2.0;2009.07.09;-

Prevx;3.0;2009.07.10;-

Rising;21.37.34.00;2009.07.09;-

Sophos;4.43.0;2009.07.09;-

Sunbelt;3.2.1858.2;2009.07.09;-

Symantec;1.4.4.12;2009.07.09;-

TheHacker;6.3.4.3.363;2009.07.08;-

TrendMicro;8.950.0.1094;2009.07.09;-

VBA32;3.12.10.7;2009.07.09;-

ViRobot;2009.7.10.1827;2009.07.09;-

VirusBuster;4.6.5.0;2009.07.09;-

 

Additional information

File size: 804 bytes

MD5...: 2a07535a80623a5f4e1fb18791a3324a

SHA1..: 116b4414f6a191c7ba8a37f2eac6366a9824be3d

SHA256: d3150b2108a4675b0cabea8323ddab601b6dd4f3b7136be9fabf54dc650ceca6

ssdeep: 24:QbDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTOyq:ODZhyoZWM9rU5fFcnyq<br>

PEiD..: -

TrID..: File type identification<br>Unknown!

PEInfo: -

PDFiD.: -

RDS...: NSRL Reference Data Set<br>-

 

 

File crssv.exe received on 2009.07.09 22:18:09 (UTC)

Antivirus;Version;Last Update;Result

a-squared;4.5.0.18;2009.07.09;Trojan-Dropper!IK

AhnLab-V3;5.0.0.2;2009.07.09;Win32/IRCBot.worm.variant

AntiVir;7.9.0.204;2009.07.09;-

Antiy-AVL;2.0.3.1;2009.07.09;-

Authentium;5.1.2.4;2009.07.09;-

Avast;4.8.1335.0;2009.07.09;-

AVG;8.5.0.387;2009.07.09;-

BitDefender;7.2;2009.07.09;Gen:Trojan.Heur.PT.C0F10E1E1E

CAT-QuickHeal;10.00;2009.07.09;(Suspicious) - DNAScan

ClamAV;0.94.1;2009.07.09;-

Comodo;1596;2009.07.09;-

DrWeb;5.0.0.12182;2009.07.09;-

eSafe;7.0.17.0;2009.07.09;-

eTrust-Vet;31.6.6606;2009.07.09;-

F-Prot;4.4.4.56;2009.07.09;-

F-Secure;8.0.14470.0;2009.07.09;-

Fortinet;3.117.0.0;2009.07.03;-

GData;19;2009.07.09;Gen:Trojan.Heur.PT.C0F10E1E1E

Ikarus;T3.1.1.64.0;2009.07.09;Trojan-Dropper

Jiangmin;11.0.706;2009.07.09;-

K7AntiVirus;7.10.788;2009.07.09;-

Kaspersky;7.0.0.125;2009.07.09;-

McAfee;5671;2009.07.09;-

McAfee+Artemis;5671;2009.07.09;-

McAfee-GW-Edition;6.8.5;2009.07.09;-

Microsoft;1.4803;2009.07.09;-

NOD32;4229;2009.07.09;-

Norman;6.01.09;2009.07.09;-

nProtect;2009.1.8.0;2009.07.09;Trojan/W32.Agent.209058

Panda;10.0.0.14;2009.07.09;-

PCTools;4.4.2.0;2009.07.09;-

Prevx;3.0;2009.07.10;-

Rising;21.37.34.00;2009.07.09;-

Sophos;4.43.0;2009.07.09;-

Sunbelt;3.2.1858.2;2009.07.09;-

Symantec;1.4.4.12;2009.07.09;-

TheHacker;6.3.4.3.363;2009.07.08;-

TrendMicro;8.950.0.1094;2009.07.09;-

VBA32;3.12.10.7;2009.07.09;Trojan.VB.Levelup

ViRobot;2009.7.10.1827;2009.07.09;-

VirusBuster;4.6.5.0;2009.07.09;-

 

Additional information

File size: 209058 bytes

MD5...: eb6b89c42aff9c69bb293c72effae916

SHA1..: e214c3895dcfa6da87a3b0a5d1f383bd0e0626e7

SHA256: fda780d54f72bddd83a607fd79b6f4451aa6cddef4dd4b675c2b84e6e467afc7

ssdeep: 3072:HJ7+Z9o9S9dGFdOdPfi/6IzxqrvV85RwYb0Y4Mz9i7Y/Vpgic62hx:1iu2p<br>i/pzyvV0uHMzd/Vmic62<br>

PEiD..: -

TrID..: File type identification<br>Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x11a0<br>timedatestamp.....: 0x4a13424e (Tue May 19 23:35:42 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.data 0x1000 0xbc38 0xc000 4.93 779c9e30813c667d13298cca2ef40c89<br>.rsrc 0xd000 0x10bc 0x2000 1.73 2d1f988f2842145d9fb98035e2134f4d<br>.rdata 0xf000 0x240a0 0x240a0 8.00 3fcedf990a6a0276ec1f2d4b968f7630<br><br>( 1 imports ) <br>> MSVBVM60.DLL: MethCallEngine, -, -, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, -, DllFunctionCall, -, EVENT_SINK_Release, -, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, -, -, ProcCallEngine, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br><br>( 0 exports ) <br>

PDFiD.: -

RDS...: NSRL Reference Data Set<br>-

 

 

 

File plugin.dat received on 2009.07.09 22:18:34 (UTC)

Antivirus;Version;Last Update;Result

a-squared;4.5.0.18;2009.07.09;-

AhnLab-V3;5.0.0.2;2009.07.09;-

AntiVir;7.9.0.204;2009.07.09;-

Antiy-AVL;2.0.3.1;2009.07.09;-

Authentium;5.1.2.4;2009.07.09;-

Avast;4.8.1335.0;2009.07.09;-

AVG;8.5.0.387;2009.07.09;-

BitDefender;7.2;2009.07.09;-

CAT-QuickHeal;10.00;2009.07.09;-

ClamAV;0.94.1;2009.07.09;-

Comodo;1596;2009.07.09;-

DrWeb;5.0.0.12182;2009.07.09;-

eSafe;7.0.17.0;2009.07.09;-

eTrust-Vet;31.6.6606;2009.07.09;-

F-Prot;4.4.4.56;2009.07.09;-

F-Secure;8.0.14470.0;2009.07.09;-

Fortinet;3.117.0.0;2009.07.03;-

GData;19;2009.07.09;-

Ikarus;T3.1.1.64.0;2009.07.09;-

Jiangmin;11.0.706;2009.07.09;-

K7AntiVirus;7.10.788;2009.07.09;-

Kaspersky;7.0.0.125;2009.07.09;-

McAfee;5671;2009.07.09;-

McAfee+Artemis;5671;2009.07.09;-

McAfee-GW-Edition;6.8.5;2009.07.09;-

Microsoft;1.4803;2009.07.09;-

NOD32;4229;2009.07.09;-

Norman;6.01.09;2009.07.09;-

nProtect;2009.1.8.0;2009.07.09;-

Panda;10.0.0.14;2009.07.09;-

PCTools;4.4.2.0;2009.07.09;-

Prevx;3.0;2009.07.10;-

Rising;21.37.34.00;2009.07.09;-

Sophos;4.43.0;2009.07.09;-

Sunbelt;3.2.1858.2;2009.07.09;-

Symantec;1.4.4.12;2009.07.09;-

TheHacker;6.3.4.3.363;2009.07.08;-

TrendMicro;8.950.0.1094;2009.07.09;-

VBA32;3.12.10.7;2009.07.09;-

ViRobot;2009.7.10.1827;2009.07.09;-

VirusBuster;4.6.5.0;2009.07.09;-

 

Additional information

File size: 293376 bytes

MD5...: 5c94ffdf12404805535066b9ad40acf6

SHA1..: 8fd0a90d04366ee146c003e097dc6f0791c5e671

SHA256: b043136c8cfd0318c0798b97ea722c52fd61141213c852646b6f4f2eab5591fc

ssdeep: 6144:9gx0LxkrnYVSlrfjpcaMugApuw8zAbltNAA6Fn41T/H/+ckr:9XxkncSlrt<br>2nApuw8zwtmAQ4R/GTr<br>

PEiD..: -

TrID..: File type identification<br>Unknown!

PEInfo: -

PDFiD.: -

RDS...: NSRL Reference Data Set<br>-

 

 

File logs.dat received on 2009.07.09 22:18:38 (UTC)

Antivirus;Version;Last Update;Result

a-squared;4.5.0.18;2009.07.09;-

AhnLab-V3;5.0.0.2;2009.07.09;-

AntiVir;7.9.0.204;2009.07.09;-

Antiy-AVL;2.0.3.1;2009.07.09;-

Authentium;5.1.2.4;2009.07.09;-

Avast;4.8.1335.0;2009.07.09;-

AVG;8.5.0.387;2009.07.09;-

BitDefender;7.2;2009.07.09;-

CAT-QuickHeal;10.00;2009.07.09;-

ClamAV;0.94.1;2009.07.09;-

Comodo;1596;2009.07.09;-

DrWeb;5.0.0.12182;2009.07.09;-

eSafe;7.0.17.0;2009.07.09;-

eTrust-Vet;31.6.6606;2009.07.09;-

F-Prot;4.4.4.56;2009.07.09;-

F-Secure;8.0.14470.0;2009.07.09;-

Fortinet;3.117.0.0;2009.07.03;-

GData;19;2009.07.09;-

Ikarus;T3.1.1.64.0;2009.07.09;-

Jiangmin;11.0.706;2009.07.09;-

K7AntiVirus;7.10.788;2009.07.09;-

Kaspersky;7.0.0.125;2009.07.09;-

McAfee;5671;2009.07.09;-

McAfee+Artemis;5671;2009.07.09;-

McAfee-GW-Edition;6.8.5;2009.07.09;-

Microsoft;1.4803;2009.07.09;-

NOD32;4229;2009.07.09;-

Norman;6.01.09;2009.07.09;-

nProtect;2009.1.8.0;2009.07.09;-

Panda;10.0.0.14;2009.07.09;-

PCTools;4.4.2.0;2009.07.09;-

Prevx;3.0;2009.07.10;-

Rising;21.37.34.00;2009.07.09;-

Sophos;4.43.0;2009.07.09;-

Sunbelt;3.2.1858.2;2009.07.09;-

Symantec;1.4.4.12;2009.07.09;-

TheHacker;6.3.4.3.363;2009.07.08;-

TrendMicro;8.950.0.1094;2009.07.09;-

VBA32;3.12.10.7;2009.07.09;-

ViRobot;2009.7.10.1827;2009.07.09;-

VirusBuster;4.6.5.0;2009.07.09;-

 

Additional information

File size: 2830 bytes

MD5...: 7ac064cbbe22f8ccce45145dfc7b35f5

SHA1..: 1f43cff8ba185e125b14daec141d55ecd5d92e9a

SHA256: 383b7b9ae23319071f3850812532019b96678f501e18b1137644fb072a70212a

ssdeep: 48:B99g99Um99c999Jy99e99Ev99E99NJ99Mv99HM99m993v99i99Sv99tv99Xvd<br>99/:BDgDNDcD9IDeDEvDEDzDMvDHMDmD3vDD<br>

PEiD..: -

TrID..: File type identification<br>Generic INI configuration (100.0%)

PEInfo: -

PDFiD.: -

RDS...: NSRL Reference Data Set<br>-

 

 

Here are my combofix results:

 

ComboFix 09-07-08.02 - Mumbo 07/09/2009 15:27.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1552 [GMT -7:00]

Running from: c:\documents and settings\Mumbo\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mumbo\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

 

((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))

.

 

2009-07-06 20:32 . 2009-07-06 20:32 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Malwarebytes

2009-07-06 20:32 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-06 20:32 . 2009-07-07 01:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-06 20:32 . 2009-07-06 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-06 20:32 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-06 07:27 . 2009-07-06 07:12 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-07-06 07:12 . 2009-07-06 07:11 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-07-06 07:12 . 2009-07-06 07:12 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2009-07-06 07:12 . 2009-07-06 07:12 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2009-07-06 07:12 . 2009-07-06 07:12 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2009-07-06 07:12 . 2009-07-06 07:12 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-07-06 07:12 . 2009-07-06 07:12 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2009-07-06 07:12 . 2009-07-06 07:12 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2009-07-06 07:12 . 2009-07-06 07:12 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2009-07-06 07:11 . 2009-07-06 07:11 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2009-07-06 07:11 . 2009-07-06 07:11 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2009-07-06 07:11 . 2009-07-06 07:11 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-07-06 07:11 . 2009-07-06 07:11 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2009-07-06 07:11 . 2009-07-06 07:11 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe

2009-07-06 07:11 . 2009-07-06 07:11 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2009-07-06 07:11 . 2009-07-06 07:11 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2009-07-06 07:11 . 2009-07-06 07:11 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2009-07-06 07:11 . 2009-07-06 07:11 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2009-07-06 07:11 . 2009-07-06 07:11 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe

2009-07-06 07:11 . 2009-07-06 07:11 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2009-07-06 07:11 . 2009-07-06 07:11 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2009-07-06 07:04 . 2009-07-06 07:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-07-06 07:04 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

2009-07-06 07:03 . 2009-07-06 07:03 -------- d-----w- c:\program files\Lavasoft

2009-07-06 02:13 . 2009-07-06 06:32 -------- d-sh--r- c:\windows\system32\etc

2009-07-05 02:01 . 2009-07-05 02:01 -------- d-----w- c:\documents and settings\Mumbo\Local Settings\Application Data\CAPCOM

2009-06-25 05:31 . 2009-06-25 05:31 -------- d-----w- c:\program files\PFPortChecker

2009-06-24 00:46 . 2009-06-24 00:52 -------- d-----w- c:\documents and settings\Mumbo\Application Data\ImgBurn

2009-06-24 00:29 . 2009-06-24 00:29 -------- d-----w- c:\program files\ImgBurn

2009-06-19 23:29 . 2009-06-19 23:29 -------- d-----w- c:\documents and settings\Mumbo\Local Settings\Application Data\GHOSTBUSTERS

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-09 20:02 . 2007-11-25 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-09 03:38 . 2007-11-25 11:46 -------- d-----w- c:\program files\Steam

2009-07-07 07:37 . 2007-11-27 18:11 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Azureus

2009-07-06 07:03 . 2007-11-25 16:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-06 06:29 . 2009-07-06 06:29 892 ----a-w- c:\documents and settings\Mumbo\Application Data\368328.tmp

2009-07-06 02:17 . 2009-07-06 02:17 804 ----a-w- c:\documents and settings\Mumbo\Application Data\25712187.tmp

2009-07-05 22:02 . 2007-11-25 01:33 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-25 06:42 . 2007-11-27 18:10 -------- d-----w- c:\program files\Azureus

2009-06-23 05:23 . 2008-11-02 09:08 -------- d-----w- c:\documents and settings\Mumbo\Application Data\FileZilla

2009-06-19 23:21 . 2008-05-27 00:39 -------- d-----w- c:\program files\Atari

2009-06-16 20:35 . 2007-11-25 17:35 -------- d-----w- c:\program files\AIM6

2009-05-17 20:44 . 2008-06-28 19:26 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Vso

2009-05-04 00:34 . 2009-05-01 00:12 98304 ----a-w- c:\documents and settings\Mumbo\Application Data\Soldat\Battleye\BEClient.dll

2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll

2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll

2006-05-03 09:06 . 2008-01-10 04:30 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2008-01-10 04:30 31232 --sh--r- c:\windows\system32\msfDX.dll

2005-04-09 11:12 . 2009-07-06 06:32 209058 --sha-r- c:\windows\system32\etc\crssv.exe

2006-02-26 23:47 . 2009-07-06 06:32 293376 --sha-r- c:\windows\system32\etc\plugin.dat

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

--- c:\documents and settings\Mumbo\Application Data\25712187.tmp ---

Company: ------

File Description: ------

File Version: ------

Product Name: ------

Copyright: ------

Original Filename: ------

File size: 804

Created time: 2009-07-06 02:17

Modified time: 2009-07-06 02:17

MD5: 2A07535A80623A5F4E1FB18791A3324A

SHA1: 116B4414F6A191C7BA8A37F2EAC6366A9824BE3D

 

 

--- c:\documents and settings\Mumbo\Application Data\368328.tmp ---

Company: ------

File Description: ------

File Version: ------

Product Name: ------

Copyright: ------

Original Filename: ------

File size: 892

Created time: 2009-07-06 06:29

Modified time: 2009-07-06 06:29

MD5: 1CFF2DC4B504A38B53EC4715FA8DE24B

SHA1: A318225DACF8A8C9E9C4AE89A02669509F255BFB

 

 

--- c:\windows\system32\etc\crssv.exe ---

Company: ------

File Description: ------

File Version: ------

Product Name: ------

Copyright: ------

Original Filename: ------

File size: 209058

Created time: 2009-07-06 06:32

Modified time: 2005-04-09 11:12

MD5: EB6B89C42AFF9C69BB293C72EFFAE916

SHA1: E214C3895DCFA6DA87A3B0A5D1F383BD0E0626E7

 

 

--- c:\windows\system32\etc\plugin.dat ---

Company: ------

File Description: ------

File Version: ------

Product Name: ------

Copyright: ------

Original Filename: ------

File size: 293376

Created time: 2009-07-06 06:32

Modified time: 2006-02-26 23:47

MD5: 5C94FFDF12404805535066B9AD40ACF6

SHA1: 8FD0A90D04366EE146C003E097DC6F0791C5E671

 

---- Directory of c:\windows\system32\etc ----

 

2009-07-06 06:32 . 2006-02-26 23:47 293376 --sha-r- c:\windows\system32\etc\plugin.dat

2009-07-06 06:32 . 2005-04-09 11:12 209058 --sha-r- c:\windows\system32\etc\crssv.exe

2005-07-22 03:32 . 2005-07-22 03:32 2830 ---ha-w- c:\windows\system32\etc\logs.dat

 

 

((((((((((((((((((((((((((((( SnapShot@2009-07-08_20.37.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-25 01:21 . 2009-07-09 20:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2007-11-25 01:21 . 2009-07-08 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-11-25 01:21 . 2009-07-09 20:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2007-11-25 01:21 . 2009-07-08 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2007-11-25 01:21 . 2009-07-09 20:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2007-11-25 01:21 . 2009-07-08 20:14 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-25 68856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-2 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-24 805392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]

path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK

backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]

path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk

backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^RollerCoaster Tycoon 3_ Wild Registration.lnk]

path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\RollerCoaster Tycoon 3_ Wild Registration.lnk

backup=c:\windows\pss\RollerCoaster Tycoon 3_ Wild Registration.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"j:\\Games\\Call of Duty - World At War\\CoDWaWmp.exe"=

"j:\\Games\\Call of Duty - World At War\\CoDWaW.exe"=

"j:\\Games\\FlatOut UC\\FlatOut Ultimate Carnage\\Fouc.exe"=

"j:\\Games\\pop\\Prince of Persia.exe"=

"j:\\Games\\pop\\PrinceOfPersia_Launcher.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"j:\\Games\\Mirrors Edge\\Binaries\\MirrorsEdge.exe"=

"j:\\Games\\bionic commando rearmed\\bcr.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=

"j:\\Games\\Burnout Paradise\\BurnoutLauncher.exe"=

"j:\\Games\\Burnout Paradise\\BurnoutConfigTool.exe"=

"j:\\Games\\Burnout Paradise\\BurnoutParadise.exe"=

"j:\\Games\\EndWar\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"=

"j:\\Games\\EndWar\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"j:\\Games\\Tom Clancy's H.A.W.X\\HAWX.exe"=

"j:\\Games\\Tom Clancy's H.A.W.X\\HAWX_dx10.exe"=

"j:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=

"j:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=

"j:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=

"j:\\Games\\Prototype\\prototypef.exe"=

"j:\\Games\\Street Fighter IV\\StreetFighterIV.exe"=

"j:\\Games\\Overlord II\\Overlord2.exe"=

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/6/2009 12:12 AM 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]

R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/9/2008 2:49 PM 693512]

R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 5:33 PM 13952]

R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 5:32 PM 28800]

S2 gupdate1c9e89a222decd4;Google Update Service (gupdate1c9e89a222decd4);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2009 5:35 PM 133104]

S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/9/2008 2:49 PM 906504]

S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [3/18/2008 8:12 PM 3567]

S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 5:37 AM 26624]

S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows\system32\drivers\TiglUsb.sys [3/18/2008 8:12 PM 17024]

S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [11/19/2008 10:38 PM 23480]

.

Contents of the 'Scheduled Tasks' folder

 

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:11]

 

2009-07-09 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-25 23:37]

 

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 00:34]

 

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 00:34]

 

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-179605362-839522115-1003Core.job

- c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 07:46]

 

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-179605362-839522115-1003UA.job

- c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 07:46]

 

2009-06-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-25 21:32]

 

2009-05-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-25 21:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Mumbo\Application Data\Mozilla\Firefox\Profiles\28zti0wj.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

 

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-09 15:41

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:91,1b,75,08,3f,87,c2,e3,e8,a5,69,94,62,c9,96,a8,15,39,59,f5,b5,ac,f3,

72,03,46,f1,ec,b0,53,00,71,8b,fa,79,6a,99,da,a1,d4,96,72,c7,1f,42,92,fd,af,\

"??"=hex:cd,83,43,89,95,88,5a,13,cd,a4,fd,85,a2,db,70,25

 

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:57,5a,e4,0e,24,7e,11,c6,c6,a6,8a,18,ea,7a,4d,c0,83,3c,58,f9,00,

1a,5a,4c,39,aa,b9,20,77,77,62,0f,3a,4d,b0,db,39,88,9c,76,90,bc,e8,c2,37,68,\

"rkeysecu"=hex:9f,ec,e7,86,66,3c,4b,9e,90,a7,8f,84,0a,f8,a0,80

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(908)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

 

- - - - - - - > 'lsass.exe'(964)

c:\windows\system32\relog_ap.dll

 

- - - - - - - > 'explorer.exe'(3776)

c:\program files\Logitech\SetPoint\GameHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Seagate\Schedule2\schedul2.exe

c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\McAfee\MSC\mcuimgr.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\McAfee\VirusScan\Mcshield.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\program files\McAfee\MPF\MpfSrv.exe

.

**************************************************************************

.

Completion time: 2009-07-09 15:50 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-09 22:50

ComboFix2.txt 2009-07-08 20:41

 

Pre-Run: 488,042,496 bytes free

Post-Run: 472,285,184 bytes free

 

341

 

 

 

 

BTW, i dont know how to disable resident mode for spybot and ad-aware. Also, should i hide my os files again after my system is clean?

 

Thanks e-tech

 

EDIT: My downloaded hosts file is 599 kB and as u know i replaced it recently and successfully could access the steam support website. But now when i check the the directory of the hosts file it is less than 1 kB. Is that normal, or was it replaced by some malicious program again?

OMG I just noticed i can see banner ads again. What happened to my hosts file? did one of the programs u told me to run change something?

Edited by mumbojumbo28

Share this post


Link to post
Share on other sites

Well done!

 

i dont know how to disable resident mode for spybot and ad-aware.

 

Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable AdWatch:

Open AdAware SE.

Go to AdWatch User Interface.

Go to Tools and Preferences. At the bottom of the screen you will see 2 options Active and Automatic.

Active: This will turn Ad-Watch On\Off without closing it

Automatic: Suspicious activity will be blocked automatically

Please uncheck both options. You can enable these after resolving your problem.

 

 

 

Please disable TeaTimer by doing the following:

  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done and reboot your computer.
    (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Please download ResetTeaTimer.zip and save to your Desktop. Extract (unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entries set by TeaTimer and it from restoring them upon reactivation).

 

 

Also, should i hide my os files again after my system is clean?

Don't have to, but I'll take care of it.

 

 

My downloaded hosts file is 599 kB and as u know i replaced it recently and successfully could access the steam support website. But now when i check the the directory of the hosts file it is less than 1 kB. Is that normal, or was it replaced by some malicious program again?

We'll find out about that. It's normal that hosts in C:\WINDOWS\system32\drivers\etc is 1 kb but I'll take a look.

 

 

Then please

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

3. Open Notepad and copy/paste the text in the quotebox below into it:

 

http://www.spywareinfoforum.com/index.php?showtopic=124765&view=findpost&p=694112
KILLALL::
Collect::
c:\windows\system32\etc\crssv.exe
Folder::
c:\windows\system32\etc

 

Save this as CFScript.txt

 

 

CFScriptB-4.gif

 

 

Refering to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you. Post that log in your next reply.

 

**Note**

 

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

 

 

 

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

 

Note:

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command.

 

If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your Desktop so that you may post it in your next reply.

**Note**

 

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

 

Please post the Kaspersky Online Scanner Report in your reply along with the ComboFix log.

 

Best regards

 

e-tech

Edited by e-tech

Share this post


Link to post
Share on other sites

Is everything alright? :)

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0