Jump to content


Photo

Possible virus, Websites blocked and a hijacked account


  • This topic is locked This topic is locked
7 replies to this topic

#1 mumbojumbo28

mumbojumbo28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2009 - 09:40 PM

So here's the story:
I was logged onto steam when a friend messaged me through steam's chat to watch a video. He also mentions to update the adobe flash on the website if the video doesnt play. I click the link he sends and it opens a website (which i now know really isnt) metacafe. The video doesnt play and it says to update adobe flash player where the video should be. I click the download link and download an exe named adobeflashplayer.exe. I run it, thinking it would update my flash, but nothing happens. Later, i notice that the exe has disappeared off my desktop where i had saved it. My steam suddenly closes, but i turn off my computer because i had to leave. When i return and turn on my computer i am prompted multiple times at startup to run or cancel svchost or crssv from system32\etc and system32\drivers. I run them to get rid of it so i can continue using the computer. I reboot my computer to see if it would prompt me again. It does. Suspicious, i log onto my steam account only to have it reject my password. I log onto my email only to see that my password and contact email for my steam account was changed a few minutes after i had to leave. I immediately run spybot but it catches nothing. I run ad-aware which detects the previously mentioned crssv.exe. I delete it. I later run hijackthis and see crssv listed. I remove it and reboot my computer to see if i get the run prompt again. I dont.

Here's the problem:
At this point i want to make sure my computer is fully clean before retrieving my account. I ran spybot, hijackthis and ad-aware as mentioned above. I later ran mbam after reading the faqs at the swi forums and caught 5 items. i deleted them and saved the logs. However, there is still one problem. Whenever i try to go to steam's support page through a link or by typing it into my url box, all my internet browsers are unable to connect to the page. I am also unable to connect to the general steampowered website if i type it directly into my url box. Now i am unable retrieve my account.

I am not quite sure what happened but i do know there are people who write programs in the underground steam community to steal accounts. I am not quite sure but i think this is how the program works. The victim downnloads and runs the executable. The executabe goes into the registry and gets the login for the steam account which is sent to a ftp server. However, when i ran the program, my Mcafee, which usually prompts me when a program wants to access the internet did not do anything or detect anything.

So at this point i want to make sure everything is clean and i want to fix the problem with my internet browser so i can retrieve my account.

Here is my hijackthislog after running mbam and after i had deleted crssv from it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:04 PM, on 7/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Mumbo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mumbo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Mumbo\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Update Service (gupdate1c9e89a222decd4) (gupdate1c9e89a222decd4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8306 bytes


Here is my MBAM log which caught 5 items

Malwarebytes' Anti-Malware 1.38
Database version: 2382
Windows 5.1.2600 Service Pack 2

7/6/2009 6:27:27 PM
mbam-log-2009-07-06 (18-27-27).txt

Scan type: Full Scan (C:\|E:\|G:\|J:\|)
Objects scanned: 384996
Time elapsed: 4 hour(s), 51 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{t5tbb77l-4678-0mkc-421q-14416031dyu6} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Mumbo\local settings\temporary internet files\ijjistarter2.exe (Trojan.Agent) -> Quarantined and deleted successfully.


I would like to thank the volunteers at SWI for helping out people like me.
Time is of the essence since my account could get irreversibly VAC banned if someone cheats with it. And the malicious person can use my account to try to trick my friends. However cleaning my computer is first priority.


EDIT 7/7 12:19 a.m: I think my hosts file was altered to block steam. I think this is the case since i can see advertisement banners that i havent seen before. i will reinstall the hosts file and report the result tomorrow

Edited by mumbojumbo28, 07 July 2009 - 02:15 AM.


#2 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 08 July 2009 - 12:52 PM

Hello Mumbo!

I'm afraid I have bad news.

Your logs reveal a password stealer.

I would counsel you to disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You will need to change your passwords, and all other sensitive information, but only once your system is deemed clean.



With that said, please do the following.
I highly recommend you to remove Viewpoint.

This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.
Foistware may open the door for malware and is sometimes installed without the user's knowledge or permission. Viewpoint is known to be intrusive and there is some possibility that it is now being used by its owners to track your habits.

If you choose to follow my recommendation then please go to Start -> Control Panel, double-click on Add or Remove Programs
Search the list, and uninstall the following programs (if present) by clicking the Remove or Change/Remove button.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Then please find and delete these folders (if present):
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint



Please download ATF Cleaner. Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Please update Malwarebytes' Anti-Malware to the newest version and run it again.



Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt, MBAM log and the contents of checkup.txt in your next reply for further review.


Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#3 mumbojumbo28

mumbojumbo28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 July 2009 - 04:01 PM

Thanks e-tech. I have removed viewpoint and ran atf cleaner afterwards. I believe my MBAM is up to date with version 1.38. I also made sure my virus definition was up to date before scanning.
Here is my security check log:
Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
McAfeeSecurityCenter
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
MVPS Hosts File
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 5
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Spybot SDHelper is disabled!
McAfee VirusScan McShield.exe
McAfee VIRUSS~1 mcsysmon.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 93579 seconds.
`````````End of Log```````````


Here is my ComboFix log:
ComboFix 09-07-08.02 - Mumbo 07/08/2009 13:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1542 [GMT -7:00]
Running from: c:\documents and settings\Mumbo\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mumbo\Application Data\inst.exe
c:\documents and settings\Mumbo\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\Downloaded Program Files\ijjiPreNotify2.exe
c:\windows\Installer\90da4.msi
c:\windows\Installer\d94ccc.msi
c:\windows\system32\abedcafea8_z.dll
c:\windows\WINDOWS
c:\windows\WINDOWS\Installer\90da4.msi
H:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-06 20:32 . 2009-07-06 20:32 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Malwarebytes
2009-07-06 20:32 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 20:32 . 2009-07-07 01:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 20:32 . 2009-07-06 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 20:32 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 07:27 . 2009-07-06 07:12 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-06 07:12 . 2009-07-06 07:11 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-06 07:12 . 2009-07-06 07:12 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-06 07:12 . 2009-07-06 07:12 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-06 07:12 . 2009-07-06 07:12 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-06 07:12 . 2009-07-06 07:12 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-07-06 07:12 . 2009-07-06 07:12 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-06 07:12 . 2009-07-06 07:12 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-07-06 07:12 . 2009-07-06 07:12 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-07-06 07:11 . 2009-07-06 07:11 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-06 07:11 . 2009-07-06 07:11 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-07-06 07:11 . 2009-07-06 07:11 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-07-06 07:11 . 2009-07-06 07:11 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-07-06 07:11 . 2009-07-06 07:11 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-07-06 07:11 . 2009-07-06 07:11 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-07-06 07:11 . 2009-07-06 07:11 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-07-06 07:11 . 2009-07-06 07:11 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-07-06 07:11 . 2009-07-06 07:11 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-06 07:11 . 2009-07-06 07:11 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-07-06 07:11 . 2009-07-06 07:11 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-07-06 07:11 . 2009-07-06 07:11 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-07-06 07:04 . 2009-07-06 07:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-06 07:04 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-06 07:03 . 2009-07-06 07:03 -------- d-----w- c:\program files\Lavasoft
2009-07-06 02:13 . 2009-07-06 06:32 -------- d-sh--r- c:\windows\system32\etc
2009-07-05 02:01 . 2009-07-05 02:01 -------- d-----w- c:\documents and settings\Mumbo\Local Settings\Application Data\CAPCOM
2009-06-25 05:31 . 2009-06-25 05:31 -------- d-----w- c:\program files\PFPortChecker
2009-06-24 00:46 . 2009-06-24 00:52 -------- d-----w- c:\documents and settings\Mumbo\Application Data\ImgBurn
2009-06-24 00:29 . 2009-06-24 00:29 -------- d-----w- c:\program files\ImgBurn
2009-06-19 23:29 . 2009-06-19 23:29 -------- d-----w- c:\documents and settings\Mumbo\Local Settings\Application Data\GHOSTBUSTERS ™
2009-06-09 20:14 . 2009-06-09 20:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-09 00:35 . 2009-06-09 00:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 07:40 . 2007-11-25 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-07 07:37 . 2007-11-27 18:11 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Azureus
2009-07-06 07:03 . 2007-11-25 16:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-06 06:57 . 2007-11-25 11:46 -------- d-----w- c:\program files\Steam
2009-07-06 06:29 . 2009-07-06 06:29 892 ----a-w- c:\documents and settings\Mumbo\Application Data\368328.tmp
2009-07-06 02:17 . 2009-07-06 02:17 804 ----a-w- c:\documents and settings\Mumbo\Application Data\25712187.tmp
2009-07-05 22:02 . 2007-11-25 01:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-25 06:42 . 2007-11-27 18:10 -------- d-----w- c:\program files\Azureus
2009-06-23 05:23 . 2008-11-02 09:08 -------- d-----w- c:\documents and settings\Mumbo\Application Data\FileZilla
2009-06-19 23:21 . 2008-05-27 00:39 -------- d-----w- c:\program files\Atari
2009-06-16 20:35 . 2007-11-25 17:35 -------- d-----w- c:\program files\AIM6
2009-05-17 20:44 . 2008-06-28 19:26 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Vso
2009-05-10 00:29 . 2008-05-17 22:12 -------- d-----w- c:\program files\The Seal Hunter
2009-05-04 00:34 . 2009-05-01 00:12 98304 ----a-w- c:\documents and settings\Mumbo\Application Data\Soldat\Battleye\BEClient.dll
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2006-05-03 09:06 . 2008-01-10 04:30 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-01-10 04:30 31232 --sh--r- c:\windows\system32\msfDX.dll
2005-04-09 11:12 . 2009-07-06 06:32 209058 --sha-r- c:\windows\system32\etc\crssv.exe
2006-02-26 23:47 . 2009-07-06 06:32 293376 --sha-r- c:\windows\system32\etc\plugin.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-2 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^RollerCoaster Tycoon 3_ Wild Registration.lnk]
path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\RollerCoaster Tycoon 3_ Wild Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3_ Wild Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"j:\\Games\\Call of Duty - World At War\\CoDWaWmp.exe"=
"j:\\Games\\Call of Duty - World At War\\CoDWaW.exe"=
"j:\\Games\\FlatOut UC\\FlatOut Ultimate Carnage\\Fouc.exe"=
"j:\\Games\\pop\\Prince of Persia.exe"=
"j:\\Games\\pop\\PrinceOfPersia_Launcher.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"j:\\Games\\Mirrors Edge\\Binaries\\MirrorsEdge.exe"=
"j:\\Games\\bionic commando rearmed\\bcr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"j:\\Games\\Burnout Paradise\\BurnoutLauncher.exe"=
"j:\\Games\\Burnout Paradise\\BurnoutConfigTool.exe"=
"j:\\Games\\Burnout Paradise\\BurnoutParadise.exe"=
"j:\\Games\\EndWar\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"=
"j:\\Games\\EndWar\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"j:\\Games\\Tom Clancy's H.A.W.X\\HAWX.exe"=
"j:\\Games\\Tom Clancy's H.A.W.X\\HAWX_dx10.exe"=
"j:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=
"j:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=
"j:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=
"j:\\Games\\Prototype\\prototypef.exe"=
"j:\\Games\\Street Fighter IV\\StreetFighterIV.exe"=
"j:\\Games\\Overlord II\\Overlord2.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/6/2009 12:12 AM 64160]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/9/2008 2:49 PM 693512]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 5:33 PM 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 5:32 PM 28800]
S2 gupdate1c9e89a222decd4;Google Update Service (gupdate1c9e89a222decd4);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2009 5:35 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/9/2008 2:49 PM 906504]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [3/18/2008 8:12 PM 3567]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 5:37 AM 26624]
S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows\system32\drivers\TiglUsb.sys [3/18/2008 8:12 PM 17024]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [11/19/2008 10:38 PM 23480]
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:11]

2009-07-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-25 23:37]

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 00:34]

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 00:34]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-179605362-839522115-1003Core.job
- c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 07:46]

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-179605362-839522115-1003UA.job
- c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 07:46]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-25 21:32]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-25 21:32]
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Mumbo\Application Data\Mozilla\Firefox\Profiles\28zti0wj.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 13:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A1DCD957-4110-98C2-E7AD-23ACB1CB1977}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaiemhdhlaljligefagnjloomlbpip"=hex:64,61,64,64,61,68,70,69,00,e0
"oamleeknenelmoilfodmjcdamacfac"=hex:6a,61,69,63,6d,66,61,6d,61,66,6f,66,68,68,
70,69,62,70,67,66,00,fd
"naclnkaomciokhekkpjfjfglpocc"=hex:6a,61,69,63,6d,66,61,6d,61,66,6f,66,68,68,
70,69,62,70,67,66,00,fd

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:91,1b,75,08,3f,87,c2,e3,e8,a5,69,94,62,c9,96,a8,15,39,59,f5,b5,ac,f3,
72,03,46,f1,ec,b0,53,00,71,8b,fa,79,6a,99,da,a1,d4,96,72,c7,1f,42,92,fd,af,\
"??"=hex:cd,83,43,89,95,88,5a,13,cd,a4,fd,85,a2,db,70,25

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:57,5a,e4,0e,24,7e,11,c6,c6,a6,8a,18,ea,7a,4d,c0,83,3c,58,f9,00,
1a,5a,4c,39,aa,b9,20,77,77,62,0f,3a,4d,b0,db,39,88,9c,76,90,bc,e8,c2,37,68,\
"rkeysecu"=hex:9f,ec,e7,86,66,3c,4b,9e,90,a7,8f,84,0a,f8,a0,80
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(956)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-07-08 13:41
ComboFix-quarantined-files.txt 2009-07-08 20:41

Pre-Run: 578,478,080 bytes free
Post-Run: 585,953,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

281




I believe the directory which was recently created c:\windows\system32\etc is associated with the malicious program i ran since that is the directory that showed up when i was prompted previously on start up to run svchost. I am no longer prompted to run anything on start up.

Also, after running combofix, internet explorer appears on my desktop. Google chrome, which i normally use, was no longer my default browser.

Finally, i am able to connect to the steam support website when i manually replaced my hosts file.
For some reason, my mcafee which is always active did not alert me when the malicious program connected to the internet ( i think that's what it does). It also did not alert me when my hosts file was changed by the malicious program. It did however alert me when i manually replaced it.

Thank you e-tech for your help. I am one step closer to having confidence in the safety of my computer.

One more thing, as you may have noticed, i install my video games to another hard drive. Is this safe as it is located on a hard drive separate from my C drive and my os?

EDIT: Steam account retrieved. However, i wont log in until i am sure my pc is clean.

Edited by mumbojumbo28, 08 July 2009 - 10:42 PM.


#4 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 09 July 2009 - 01:26 AM

Hello mumbojumbo28

I believe the directory which was recently created c:\windows\system32\etc is associated with the malicious program i ran since that is the directory that showed up when i was prompted previously on start up to run svchost.

Could be. Folder etc is normally placed in C:\WINDOWS\system32\drivers\. We'll take a look.

Google chrome, which i normally use, was no longer my default browser.

Yes. Wait until you get clean, then you can add it again as your default browser.

One more thing, as you may have noticed, i install my video games to another hard drive. Is this safe as it is located on a hard drive separate from my C drive and my os?

Yes, no problem.

I have noticed that you have 2 antispyware programs installed on your computer.
These are:
  • Spybot - Search & Destroy
  • Ad-Aware
:alarm: Warning!
Running more than one resident protection program of the same type (antivirus, firewall or antispyware program) at the same time can result in unwanted conflict.
This can reduce the effectiveness of all your antispyware programs individually.
If you want to keep all your antispyware programs then please make sure they are not in resident mode at the same time.



Please set WinXP to show hidden/system files and folders so that you can find them to delete.

Please click Start and open My Computer.
On the Tools menu, click on Folder Options.
On the View tab, uncheck "Hide file extensions for known file types".
Uncheck "Hide protected operating system files (Recommended)" and click Yes on the warning message. Under "Hidden files and folders", check "Show hidden files and folders".
Click Apply to All Folders.
Click OK and close My Computer.



Please go to VirusTotal, and upload the following files for analysis:
c:\documents and settings\Mumbo\Application Data\368328.tmp
c:\documents and settings\Mumbo\Application Data\25712187.tmp
c:\windows\system32\etc\crssv.exe
c:\windows\system32\etc\plugin.dat

Post the VirusTotal results in your reply.


Please
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

KILLALL::
DirLook::
c:\windows\system32\etc
FileLook::
c:\documents and settings\Mumbo\Application Data\368328.tmp
c:\documents and settings\Mumbo\Application Data\25712187.tmp
c:\windows\system32\etc\crssv.exe
c:\windows\system32\etc\plugin.dat
RegNull::
[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A1DCD957-4110-98C2-E7AD-23ACB1CB1977}*]


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply along with the VirusTotal results.


Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#5 mumbojumbo28

mumbojumbo28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 09 July 2009 - 05:21 PM

Here are my virus total results. I also found the file logs.dat in the etc folder, which i uploaded with no results. I dont know if the file information may be helpful.

File 368328.tmp received on 2009.07.09 21:34:17 (UTC)
Antivirus;Version;Last Update;Result
a-squared;4.5.0.18;2009.07.09;-
AhnLab-V3;5.0.0.2;2009.07.09;-
AntiVir;7.9.0.204;2009.07.09;-
Antiy-AVL;2.0.3.1;2009.07.09;-
Authentium;5.1.2.4;2009.07.09;-
Avast;4.8.1335.0;2009.07.09;-
AVG;8.5.0.387;2009.07.09;-
BitDefender;7.2;2009.07.09;-
CAT-QuickHeal;10.00;2009.07.09;-
ClamAV;0.94.1;2009.07.09;-
Comodo;1596;2009.07.09;-
DrWeb;5.0.0.12182;2009.07.09;-
eSafe;7.0.17.0;2009.07.09;-
eTrust-Vet;31.6.6606;2009.07.09;-
F-Prot;4.4.4.56;2009.07.09;-
F-Secure;8.0.14470.0;2009.07.09;-
Fortinet;3.117.0.0;2009.07.03;-
GData;19;2009.07.09;-
Ikarus;T3.1.1.64.0;2009.07.09;-
Jiangmin;11.0.706;2009.07.09;-
K7AntiVirus;7.10.788;2009.07.09;-
Kaspersky;7.0.0.125;2009.07.09;-
McAfee;5671;2009.07.09;-
McAfee+Artemis;5671;2009.07.09;-
McAfee-GW-Edition;6.8.5;2009.07.09;-
Microsoft;1.4803;2009.07.09;-
NOD32;4229;2009.07.09;-
Norman;6.01.09;2009.07.09;-
nProtect;2009.1.8.0;2009.07.09;-
Panda;10.0.0.14;2009.07.09;-
PCTools;4.4.2.0;2009.07.09;-
Prevx;3.0;2009.07.09;-
Rising;21.37.34.00;2009.07.09;-
Sophos;4.43.0;2009.07.09;-
Sunbelt;3.2.1858.2;2009.07.09;-
Symantec;1.4.4.12;2009.07.09;-
TheHacker;6.3.4.3.363;2009.07.08;-
TrendMicro;8.950.0.1094;2009.07.09;-
VBA32;3.12.10.7;2009.07.09;-
ViRobot;2009.7.10.1827;2009.07.09;-
VirusBuster;4.6.5.0;2009.07.09;-

Additional information
File size: 892 bytes
MD5   : 1cff2dc4b504a38b53ec4715fa8de24b
SHA1  : a318225dacf8a8c9e9c4ae89a02669509f255bfb
SHA256: 7b1a79e4975c66d7fc9f7baf0b4600db17fa57ff09ef5055926c0803398a7a7b
ssdeep: 24:QbDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTOyoi6ozq:ODZhyoZWM9rU5fFcnyoi6ozq
PEiD  : -
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<br>-


File 25712187.tmp received on 2009.07.09 22:16:30 (UTC)
Antivirus;Version;Last Update;Result
a-squared;4.5.0.18;2009.07.09;-
AhnLab-V3;5.0.0.2;2009.07.09;-
AntiVir;7.9.0.204;2009.07.09;-
Antiy-AVL;2.0.3.1;2009.07.09;-
Authentium;5.1.2.4;2009.07.09;-
Avast;4.8.1335.0;2009.07.09;-
AVG;8.5.0.387;2009.07.09;-
BitDefender;7.2;2009.07.09;-
CAT-QuickHeal;10.00;2009.07.09;-
ClamAV;0.94.1;2009.07.09;-
Comodo;1596;2009.07.09;-
DrWeb;5.0.0.12182;2009.07.09;-
eSafe;7.0.17.0;2009.07.09;-
eTrust-Vet;31.6.6606;2009.07.09;-
F-Prot;4.4.4.56;2009.07.09;-
F-Secure;8.0.14470.0;2009.07.09;-
Fortinet;3.117.0.0;2009.07.03;-
GData;19;2009.07.09;-
Ikarus;T3.1.1.64.0;2009.07.09;-
Jiangmin;11.0.706;2009.07.09;-
K7AntiVirus;7.10.788;2009.07.09;-
Kaspersky;7.0.0.125;2009.07.09;-
McAfee;5671;2009.07.09;-
McAfee+Artemis;5671;2009.07.09;-
McAfee-GW-Edition;6.8.5;2009.07.09;-
Microsoft;1.4803;2009.07.09;-
NOD32;4229;2009.07.09;-
Norman;6.01.09;2009.07.09;-
nProtect;2009.1.8.0;2009.07.09;-
Panda;10.0.0.14;2009.07.09;-
PCTools;4.4.2.0;2009.07.09;-
Prevx;3.0;2009.07.10;-
Rising;21.37.34.00;2009.07.09;-
Sophos;4.43.0;2009.07.09;-
Sunbelt;3.2.1858.2;2009.07.09;-
Symantec;1.4.4.12;2009.07.09;-
TheHacker;6.3.4.3.363;2009.07.08;-
TrendMicro;8.950.0.1094;2009.07.09;-
VBA32;3.12.10.7;2009.07.09;-
ViRobot;2009.7.10.1827;2009.07.09;-
VirusBuster;4.6.5.0;2009.07.09;-

Additional information
File size: 804 bytes
MD5...: 2a07535a80623a5f4e1fb18791a3324a
SHA1..: 116b4414f6a191c7ba8a37f2eac6366a9824be3d
SHA256: d3150b2108a4675b0cabea8323ddab601b6dd4f3b7136be9fabf54dc650ceca6
ssdeep: 24:QbDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTOyq:ODZhyoZWM9rU5fFcnyq<br>
PEiD..: -
TrID..: File type identification<br>Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-


File crssv.exe received on 2009.07.09 22:18:09 (UTC)
Antivirus;Version;Last Update;Result
a-squared;4.5.0.18;2009.07.09;Trojan-Dropper!IK
AhnLab-V3;5.0.0.2;2009.07.09;Win32/IRCBot.worm.variant
AntiVir;7.9.0.204;2009.07.09;-
Antiy-AVL;2.0.3.1;2009.07.09;-
Authentium;5.1.2.4;2009.07.09;-
Avast;4.8.1335.0;2009.07.09;-
AVG;8.5.0.387;2009.07.09;-
BitDefender;7.2;2009.07.09;Gen:Trojan.Heur.PT.C0F10E1E1E
CAT-QuickHeal;10.00;2009.07.09;(Suspicious) - DNAScan
ClamAV;0.94.1;2009.07.09;-
Comodo;1596;2009.07.09;-
DrWeb;5.0.0.12182;2009.07.09;-
eSafe;7.0.17.0;2009.07.09;-
eTrust-Vet;31.6.6606;2009.07.09;-
F-Prot;4.4.4.56;2009.07.09;-
F-Secure;8.0.14470.0;2009.07.09;-
Fortinet;3.117.0.0;2009.07.03;-
GData;19;2009.07.09;Gen:Trojan.Heur.PT.C0F10E1E1E
Ikarus;T3.1.1.64.0;2009.07.09;Trojan-Dropper
Jiangmin;11.0.706;2009.07.09;-
K7AntiVirus;7.10.788;2009.07.09;-
Kaspersky;7.0.0.125;2009.07.09;-
McAfee;5671;2009.07.09;-
McAfee+Artemis;5671;2009.07.09;-
McAfee-GW-Edition;6.8.5;2009.07.09;-
Microsoft;1.4803;2009.07.09;-
NOD32;4229;2009.07.09;-
Norman;6.01.09;2009.07.09;-
nProtect;2009.1.8.0;2009.07.09;Trojan/W32.Agent.209058
Panda;10.0.0.14;2009.07.09;-
PCTools;4.4.2.0;2009.07.09;-
Prevx;3.0;2009.07.10;-
Rising;21.37.34.00;2009.07.09;-
Sophos;4.43.0;2009.07.09;-
Sunbelt;3.2.1858.2;2009.07.09;-
Symantec;1.4.4.12;2009.07.09;-
TheHacker;6.3.4.3.363;2009.07.08;-
TrendMicro;8.950.0.1094;2009.07.09;-
VBA32;3.12.10.7;2009.07.09;Trojan.VB.Levelup
ViRobot;2009.7.10.1827;2009.07.09;-
VirusBuster;4.6.5.0;2009.07.09;-

Additional information
File size: 209058 bytes
MD5...: eb6b89c42aff9c69bb293c72effae916
SHA1..: e214c3895dcfa6da87a3b0a5d1f383bd0e0626e7
SHA256: fda780d54f72bddd83a607fd79b6f4451aa6cddef4dd4b675c2b84e6e467afc7
ssdeep: 3072:HJ7+Z9o9S9dGFdOdPfi/6IzxqrvV85RwYb0Y4Mz9i7Y/Vpgic62hx:1iu2p<br>i/pzyvV0uHMzd/Vmic62<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x11a0<br>timedatestamp.....: 0x4a13424e (Tue May 19 23:35:42 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.data 0x1000 0xbc38 0xc000 4.93 779c9e30813c667d13298cca2ef40c89<br>.rsrc 0xd000 0x10bc 0x2000 1.73 2d1f988f2842145d9fb98035e2134f4d<br>.rdata 0xf000 0x240a0 0x240a0 8.00 3fcedf990a6a0276ec1f2d4b968f7630<br><br>( 1 imports ) <br>&gt; MSVBVM60.DLL: MethCallEngine, -, -, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, -, DllFunctionCall, -, EVENT_SINK_Release, -, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, -, -, ProcCallEngine, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br><br>( 0 exports ) <br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-



File plugin.dat received on 2009.07.09 22:18:34 (UTC)
Antivirus;Version;Last Update;Result
a-squared;4.5.0.18;2009.07.09;-
AhnLab-V3;5.0.0.2;2009.07.09;-
AntiVir;7.9.0.204;2009.07.09;-
Antiy-AVL;2.0.3.1;2009.07.09;-
Authentium;5.1.2.4;2009.07.09;-
Avast;4.8.1335.0;2009.07.09;-
AVG;8.5.0.387;2009.07.09;-
BitDefender;7.2;2009.07.09;-
CAT-QuickHeal;10.00;2009.07.09;-
ClamAV;0.94.1;2009.07.09;-
Comodo;1596;2009.07.09;-
DrWeb;5.0.0.12182;2009.07.09;-
eSafe;7.0.17.0;2009.07.09;-
eTrust-Vet;31.6.6606;2009.07.09;-
F-Prot;4.4.4.56;2009.07.09;-
F-Secure;8.0.14470.0;2009.07.09;-
Fortinet;3.117.0.0;2009.07.03;-
GData;19;2009.07.09;-
Ikarus;T3.1.1.64.0;2009.07.09;-
Jiangmin;11.0.706;2009.07.09;-
K7AntiVirus;7.10.788;2009.07.09;-
Kaspersky;7.0.0.125;2009.07.09;-
McAfee;5671;2009.07.09;-
McAfee+Artemis;5671;2009.07.09;-
McAfee-GW-Edition;6.8.5;2009.07.09;-
Microsoft;1.4803;2009.07.09;-
NOD32;4229;2009.07.09;-
Norman;6.01.09;2009.07.09;-
nProtect;2009.1.8.0;2009.07.09;-
Panda;10.0.0.14;2009.07.09;-
PCTools;4.4.2.0;2009.07.09;-
Prevx;3.0;2009.07.10;-
Rising;21.37.34.00;2009.07.09;-
Sophos;4.43.0;2009.07.09;-
Sunbelt;3.2.1858.2;2009.07.09;-
Symantec;1.4.4.12;2009.07.09;-
TheHacker;6.3.4.3.363;2009.07.08;-
TrendMicro;8.950.0.1094;2009.07.09;-
VBA32;3.12.10.7;2009.07.09;-
ViRobot;2009.7.10.1827;2009.07.09;-
VirusBuster;4.6.5.0;2009.07.09;-

Additional information
File size: 293376 bytes
MD5...: 5c94ffdf12404805535066b9ad40acf6
SHA1..: 8fd0a90d04366ee146c003e097dc6f0791c5e671
SHA256: b043136c8cfd0318c0798b97ea722c52fd61141213c852646b6f4f2eab5591fc
ssdeep: 6144:9gx0LxkrnYVSlrfjpcaMugApuw8zAbltNAA6Fn41T/H/+ckr:9XxkncSlrt<br>2nApuw8zwtmAQ4R/GTr<br>
PEiD..: -
TrID..: File type identification<br>Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-


File logs.dat received on 2009.07.09 22:18:38 (UTC)
Antivirus;Version;Last Update;Result
a-squared;4.5.0.18;2009.07.09;-
AhnLab-V3;5.0.0.2;2009.07.09;-
AntiVir;7.9.0.204;2009.07.09;-
Antiy-AVL;2.0.3.1;2009.07.09;-
Authentium;5.1.2.4;2009.07.09;-
Avast;4.8.1335.0;2009.07.09;-
AVG;8.5.0.387;2009.07.09;-
BitDefender;7.2;2009.07.09;-
CAT-QuickHeal;10.00;2009.07.09;-
ClamAV;0.94.1;2009.07.09;-
Comodo;1596;2009.07.09;-
DrWeb;5.0.0.12182;2009.07.09;-
eSafe;7.0.17.0;2009.07.09;-
eTrust-Vet;31.6.6606;2009.07.09;-
F-Prot;4.4.4.56;2009.07.09;-
F-Secure;8.0.14470.0;2009.07.09;-
Fortinet;3.117.0.0;2009.07.03;-
GData;19;2009.07.09;-
Ikarus;T3.1.1.64.0;2009.07.09;-
Jiangmin;11.0.706;2009.07.09;-
K7AntiVirus;7.10.788;2009.07.09;-
Kaspersky;7.0.0.125;2009.07.09;-
McAfee;5671;2009.07.09;-
McAfee+Artemis;5671;2009.07.09;-
McAfee-GW-Edition;6.8.5;2009.07.09;-
Microsoft;1.4803;2009.07.09;-
NOD32;4229;2009.07.09;-
Norman;6.01.09;2009.07.09;-
nProtect;2009.1.8.0;2009.07.09;-
Panda;10.0.0.14;2009.07.09;-
PCTools;4.4.2.0;2009.07.09;-
Prevx;3.0;2009.07.10;-
Rising;21.37.34.00;2009.07.09;-
Sophos;4.43.0;2009.07.09;-
Sunbelt;3.2.1858.2;2009.07.09;-
Symantec;1.4.4.12;2009.07.09;-
TheHacker;6.3.4.3.363;2009.07.08;-
TrendMicro;8.950.0.1094;2009.07.09;-
VBA32;3.12.10.7;2009.07.09;-
ViRobot;2009.7.10.1827;2009.07.09;-
VirusBuster;4.6.5.0;2009.07.09;-

Additional information
File size: 2830 bytes
MD5...: 7ac064cbbe22f8ccce45145dfc7b35f5
SHA1..: 1f43cff8ba185e125b14daec141d55ecd5d92e9a
SHA256: 383b7b9ae23319071f3850812532019b96678f501e18b1137644fb072a70212a
ssdeep: 48:B99g99Um99c999Jy99e99Ev99E99NJ99Mv99HM99m993v99i99Sv99tv99Xvd<br>99/:BDgDNDcD9IDeDEvDEDzDMvDHMDmD3vDD<br>
PEiD..: -
TrID..: File type identification<br>Generic INI configuration (100.0%)
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-


Here are my combofix results:

ComboFix 09-07-08.02 - Mumbo 07/09/2009 15:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1552 [GMT -7:00]
Running from: c:\documents and settings\Mumbo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mumbo\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-06 20:32 . 2009-07-06 20:32 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Malwarebytes
2009-07-06 20:32 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 20:32 . 2009-07-07 01:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 20:32 . 2009-07-06 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 20:32 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 07:27 . 2009-07-06 07:12 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-06 07:12 . 2009-07-06 07:11 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-06 07:12 . 2009-07-06 07:12 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-06 07:12 . 2009-07-06 07:12 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-06 07:12 . 2009-07-06 07:12 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-06 07:12 . 2009-07-06 07:12 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-07-06 07:12 . 2009-07-06 07:12 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-06 07:12 . 2009-07-06 07:12 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-07-06 07:12 . 2009-07-06 07:12 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-07-06 07:11 . 2009-07-06 07:11 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-06 07:11 . 2009-07-06 07:11 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-07-06 07:11 . 2009-07-06 07:11 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-07-06 07:11 . 2009-07-06 07:11 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-07-06 07:11 . 2009-07-06 07:11 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-07-06 07:11 . 2009-07-06 07:11 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-07-06 07:11 . 2009-07-06 07:11 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-07-06 07:11 . 2009-07-06 07:11 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-07-06 07:11 . 2009-07-06 07:11 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-06 07:11 . 2009-07-06 07:11 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-07-06 07:11 . 2009-07-06 07:11 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-07-06 07:11 . 2009-07-06 07:11 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-07-06 07:04 . 2009-07-06 07:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-06 07:04 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-06 07:03 . 2009-07-06 07:03 -------- d-----w- c:\program files\Lavasoft
2009-07-06 02:13 . 2009-07-06 06:32 -------- d-sh--r- c:\windows\system32\etc
2009-07-05 02:01 . 2009-07-05 02:01 -------- d-----w- c:\documents and settings\Mumbo\Local Settings\Application Data\CAPCOM
2009-06-25 05:31 . 2009-06-25 05:31 -------- d-----w- c:\program files\PFPortChecker
2009-06-24 00:46 . 2009-06-24 00:52 -------- d-----w- c:\documents and settings\Mumbo\Application Data\ImgBurn
2009-06-24 00:29 . 2009-06-24 00:29 -------- d-----w- c:\program files\ImgBurn
2009-06-19 23:29 . 2009-06-19 23:29 -------- d-----w- c:\documents and settings\Mumbo\Local Settings\Application Data\GHOSTBUSTERS ™

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 20:02 . 2007-11-25 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-09 03:38 . 2007-11-25 11:46 -------- d-----w- c:\program files\Steam
2009-07-07 07:37 . 2007-11-27 18:11 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Azureus
2009-07-06 07:03 . 2007-11-25 16:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-06 06:29 . 2009-07-06 06:29 892 ----a-w- c:\documents and settings\Mumbo\Application Data\368328.tmp
2009-07-06 02:17 . 2009-07-06 02:17 804 ----a-w- c:\documents and settings\Mumbo\Application Data\25712187.tmp
2009-07-05 22:02 . 2007-11-25 01:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-25 06:42 . 2007-11-27 18:10 -------- d-----w- c:\program files\Azureus
2009-06-23 05:23 . 2008-11-02 09:08 -------- d-----w- c:\documents and settings\Mumbo\Application Data\FileZilla
2009-06-19 23:21 . 2008-05-27 00:39 -------- d-----w- c:\program files\Atari
2009-06-16 20:35 . 2007-11-25 17:35 -------- d-----w- c:\program files\AIM6
2009-05-17 20:44 . 2008-06-28 19:26 -------- d-----w- c:\documents and settings\Mumbo\Application Data\Vso
2009-05-04 00:34 . 2009-05-01 00:12 98304 ----a-w- c:\documents and settings\Mumbo\Application Data\Soldat\Battleye\BEClient.dll
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2006-05-03 09:06 . 2008-01-10 04:30 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-01-10 04:30 31232 --sh--r- c:\windows\system32\msfDX.dll
2005-04-09 11:12 . 2009-07-06 06:32 209058 --sha-r- c:\windows\system32\etc\crssv.exe
2006-02-26 23:47 . 2009-07-06 06:32 293376 --sha-r- c:\windows\system32\etc\plugin.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\documents and settings\Mumbo\Application Data\25712187.tmp ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 804
Created time: 2009-07-06 02:17
Modified time: 2009-07-06 02:17
MD5: 2A07535A80623A5F4E1FB18791A3324A
SHA1: 116B4414F6A191C7BA8A37F2EAC6366A9824BE3D


--- c:\documents and settings\Mumbo\Application Data\368328.tmp ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 892
Created time: 2009-07-06 06:29
Modified time: 2009-07-06 06:29
MD5: 1CFF2DC4B504A38B53EC4715FA8DE24B
SHA1: A318225DACF8A8C9E9C4AE89A02669509F255BFB


--- c:\windows\system32\etc\crssv.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 209058
Created time: 2009-07-06 06:32
Modified time: 2005-04-09 11:12
MD5: EB6B89C42AFF9C69BB293C72EFFAE916
SHA1: E214C3895DCFA6DA87A3B0A5D1F383BD0E0626E7


--- c:\windows\system32\etc\plugin.dat ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 293376
Created time: 2009-07-06 06:32
Modified time: 2006-02-26 23:47
MD5: 5C94FFDF12404805535066B9AD40ACF6
SHA1: 8FD0A90D04366EE146C003E097DC6F0791C5E671

---- Directory of c:\windows\system32\etc ----

2009-07-06 06:32 . 2006-02-26 23:47 293376 --sha-r- c:\windows\system32\etc\plugin.dat
2009-07-06 06:32 . 2005-04-09 11:12 209058 --sha-r- c:\windows\system32\etc\crssv.exe
2005-07-22 03:32 . 2005-07-22 03:32 2830 ---ha-w- c:\windows\system32\etc\logs.dat


((((((((((((((((((((((((((((( SnapShot@2009-07-08_20.37.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-25 01:21 . 2009-07-09 20:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-25 01:21 . 2009-07-08 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-25 01:21 . 2009-07-09 20:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-25 01:21 . 2009-07-08 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-25 01:21 . 2009-07-09 20:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-11-25 01:21 . 2009-07-08 20:14 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-2 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter.LNK
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mumbo^Start Menu^Programs^Startup^RollerCoaster Tycoon 3_ Wild Registration.lnk]
path=c:\documents and settings\Mumbo\Start Menu\Programs\Startup\RollerCoaster Tycoon 3_ Wild Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3_ Wild Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"j:\\Games\\Call of Duty - World At War\\CoDWaWmp.exe"=
"j:\\Games\\Call of Duty - World At War\\CoDWaW.exe"=
"j:\\Games\\FlatOut UC\\FlatOut Ultimate Carnage\\Fouc.exe"=
"j:\\Games\\pop\\Prince of Persia.exe"=
"j:\\Games\\pop\\PrinceOfPersia_Launcher.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"j:\\Games\\Mirrors Edge\\Binaries\\MirrorsEdge.exe"=
"j:\\Games\\bionic commando rearmed\\bcr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"j:\\Games\\Burnout Paradise\\BurnoutLauncher.exe"=
"j:\\Games\\Burnout Paradise\\BurnoutConfigTool.exe"=
"j:\\Games\\Burnout Paradise\\BurnoutParadise.exe"=
"j:\\Games\\EndWar\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"=
"j:\\Games\\EndWar\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"j:\\Games\\Tom Clancy's H.A.W.X\\HAWX.exe"=
"j:\\Games\\Tom Clancy's H.A.W.X\\HAWX_dx10.exe"=
"j:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=
"j:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=
"j:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=
"j:\\Games\\Prototype\\prototypef.exe"=
"j:\\Games\\Street Fighter IV\\StreetFighterIV.exe"=
"j:\\Games\\Overlord II\\Overlord2.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/6/2009 12:12 AM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/9/2008 2:49 PM 693512]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 5:33 PM 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 5:32 PM 28800]
S2 gupdate1c9e89a222decd4;Google Update Service (gupdate1c9e89a222decd4);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2009 5:35 PM 133104]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/9/2008 2:49 PM 906504]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [3/18/2008 8:12 PM 3567]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 5:37 AM 26624]
S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows\system32\drivers\TiglUsb.sys [3/18/2008 8:12 PM 17024]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [11/19/2008 10:38 PM 23480]
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:11]

2009-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-25 23:37]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 00:34]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 00:34]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-179605362-839522115-1003Core.job
- c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 07:46]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-179605362-839522115-1003UA.job
- c:\documents and settings\Mumbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 07:46]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-25 21:32]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-25 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Mumbo\Application Data\Mozilla\Firefox\Profiles\28zti0wj.default\
FF - prefs.js: browser.startup.homepage - yahoo.com

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 15:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:91,1b,75,08,3f,87,c2,e3,e8,a5,69,94,62,c9,96,a8,15,39,59,f5,b5,ac,f3,
72,03,46,f1,ec,b0,53,00,71,8b,fa,79,6a,99,da,a1,d4,96,72,c7,1f,42,92,fd,af,\
"??"=hex:cd,83,43,89,95,88,5a,13,cd,a4,fd,85,a2,db,70,25

[HKEY_USERS\S-1-5-21-602162358-179605362-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:57,5a,e4,0e,24,7e,11,c6,c6,a6,8a,18,ea,7a,4d,c0,83,3c,58,f9,00,
1a,5a,4c,39,aa,b9,20,77,77,62,0f,3a,4d,b0,db,39,88,9c,76,90,bc,e8,c2,37,68,\
"rkeysecu"=hex:9f,ec,e7,86,66,3c,4b,9e,90,a7,8f,84,0a,f8,a0,80
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(964)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3776)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-07-09 15:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 22:50
ComboFix2.txt 2009-07-08 20:41

Pre-Run: 488,042,496 bytes free
Post-Run: 472,285,184 bytes free

341




BTW, i dont know how to disable resident mode for spybot and ad-aware. Also, should i hide my os files again after my system is clean?

Thanks e-tech

EDIT: My downloaded hosts file is 599 kB and as u know i replaced it recently and successfully could access the steam support website. But now when i check the the directory of the hosts file it is less than 1 kB. Is that normal, or was it replaced by some malicious program again?
OMG I just noticed i can see banner ads again. What happened to my hosts file? did one of the programs u told me to run change something?

Edited by mumbojumbo28, 10 July 2009 - 01:20 AM.


#6 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 10 July 2009 - 01:38 AM

Well done!

i dont know how to disable resident mode for spybot and ad-aware.

Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable AdWatch:
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences. At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Please uncheck both options. You can enable these after resolving your problem.



Please disable TeaTimer by doing the following:
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done and reboot your computer.
    (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
Please download ResetTeaTimer.zip and save to your Desktop. Extract (unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entries set by TeaTimer and it from restoring them upon reactivation).


Also, should i hide my os files again after my system is clean?
Don't have to, but I'll take care of it.


My downloaded hosts file is 599 kB and as u know i replaced it recently and successfully could access the steam support website. But now when i check the the directory of the hosts file it is less than 1 kB. Is that normal, or was it replaced by some malicious program again?

We'll find out about that. It's normal that hosts in C:\WINDOWS\system32\drivers\etc is 1 kb but I'll take a look.


Then please
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

http://www.spywareinfoforum.com/index.php?showtopic=124765&view=findpost&p=694112
KILLALL::
Collect::
c:\windows\system32\etc\crssv.exe
Folder::
c:\windows\system32\etc

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.



Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note:
In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command.

If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your Desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Please post the Kaspersky Online Scanner Report in your reply along with the ComboFix log.

Best regards

e-tech

Edited by e-tech, 10 July 2009 - 01:39 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#7 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 13 July 2009 - 01:29 PM

Is everything alright? :)

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#8 e-tech

e-tech

    The Decontaminator

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 21 July 2009 - 05:24 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button