« previous next »
Pages: [1]   Go Down

Author Topic: INFECTED PC NO2  (Read 592 times)

0 Members and 1 Guest are viewing this topic.

Offline DR M

  • Jr. Member
  • **
  • Posts: 90
INFECTED PC NO2
« on: October 24, 2011, 08:53:30 AM »
Good morning, to All of You!

I think that similar viruses with those in my computer mentioned in my other topic, also got inside another computer I used.

HERE ARE THE LOG REPORTS:

A. SECURITY CHECK:

 Results of screen317's Security Check version 0.99.24 
 Windows XP Service Pack 3 x86   
 Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 SUPERAntiSpyware Professional   
 Java 2 Runtime Environment, SE v1.4.2_01
  Adobe Flash Player (   10.3.183.7) Flash Player Out of Date! 
 Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
``````````End of Log````````````


B. DDS 1

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 6.0.2900.5512
Run by Administrator at 7:50:35 on 2011-10-24
Microsoft Windows XP Professional  5.1.2600.3.1253.30.1033.18.1527.1248 [GMT 3:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\1828652727:1224278163.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1060933
uSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
mStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
uWinlogon: Shell=c:\documents and settings\administrator\local settings\application data\b706ff6c\X
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Complitly: {d27fc31c-6e3d-4305-8d53-acdaefa5f862} - c:\documents and settings\administrator\application data\complitly\Complitly.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_01\bin\jusched.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: DhcpNameServer = 192.168.10.254
TCP: Interfaces\{F9E43B5C-D8CC-4758-AB5D-574AAC721C8C} : DhcpNameServer = 192.168.10.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\966rmx99.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 74480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-22 136176]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2011-10-12 8192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-22 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
.
=============== Created Last 30 ================
.
2011-10-19 07:29:53   --------   d-----w-   c:\documents and settings\administrator\local settings\application data\Babylon
2011-10-19 07:29:52   --------   d-----w-   c:\documents and settings\all users\application data\Babylon
2011-10-19 07:29:52   --------   d-----w-   c:\documents and settings\administrator\application data\Babylon
2011-10-19 07:28:10   --------   d-sh--w-   c:\documents and settings\administrator\local settings\application data\b706ff6c
2011-10-13 09:54:44   2167024   ----a-w-   c:\documents and settings\administrator\local settings\application data\setup.exe
2011-10-13 09:54:21   459088   ----a-w-   c:\documents and settings\administrator\local settings\application data\promo.exe
2011-10-12 07:25:09   8192   ----a-w-   c:\windows\system32\srvany.exe
2011-10-12 07:25:09   155648   ----a-w-   c:\windows\KMService.exe
2011-10-12 07:19:28   --------   d-----w-   c:\program files\Microsoft Synchronization Services
2011-10-12 07:19:08   --------   d-----w-   c:\program files\Microsoft SQL Server Compact Edition
2011-10-11 10:27:43   --------   d-----w-   c:\program files\Microsoft Visual Studio 8
2011-10-10 10:16:33   --------   d-----w-   c:\windows\system32\LogFiles
2011-10-07 06:14:05   --------   d-----w-   C:\45715f4ec0da17e208362f20e593
2011-10-05 09:24:16   --------   d-----w-   c:\documents and settings\administrator\local settings\application data\Microsoft_Research
2011-10-05 09:24:09   --------   d-----w-   c:\documents and settings\administrator\application data\Plogue
2011-10-05 09:24:00   --------   d-----w-   c:\documents and settings\administrator\local settings\application data\Songsmith
2011-10-05 09:19:17   --------   d-----w-   c:\program files\Songsmith
2011-10-05 09:08:30   --------   d-----w-   c:\windows\system32\XPSViewer
2011-10-05 09:07:47   89088   ----a-w-   c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-10-05 09:07:29   14048   ------w-   c:\windows\system32\spmsg2.dll
2011-10-04 09:31:41   --------   d-----w-   c:\program files\uTorrent
2011-10-04 09:31:11   --------   d-----w-   c:\documents and settings\administrator\local settings\application data\uTorrent
2011-10-04 09:31:11   --------   d-----w-   c:\documents and settings\administrator\application data\uTorrent
2011-10-03 09:37:35   --------   d-----w-   c:\documents and settings\administrator\application data\PriceGong
2011-09-30 07:41:21   --------   d-----w-   c:\windows\Κρεμάλα
2011-09-30 07:41:21   --------   d-----w-   c:\program files\Κρεμάλα
2011-09-29 10:25:37   69120   ----a-w-   c:\windows\system32\spool\prtprocs\w32x86\hpzpp43e.DLL
2011-09-29 10:25:36   323584   ----a-r-   c:\windows\system32\hpbicoin.dll
2011-09-26 10:13:15   --------   d-----w-   c:\documents and settings\administrator\local settings\application data\Adobe
2011-09-26 09:26:37   --------   d-----w-   c:\program files\Intelore
2011-09-26 08:41:20   220160   ------w-   c:\windows\system32\dllcache\oleacc.dll
2011-09-26 08:41:14   20480   ------w-   c:\windows\system32\dllcache\oleaccrc.dll
.
==================== Find3M  ====================
.
2011-09-26 08:41:20   611328   ----a-w-   c:\windows\system32\uiautomationcore.dll
2011-09-26 08:41:20   220160   ----a-w-   c:\windows\system32\oleacc.dll
2011-09-26 08:41:14   20480   ----a-w-   c:\windows\system32\oleaccrc.dll
2011-09-16 09:48:37   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13   599040   ----a-w-   c:\windows\system32\crypt32.dll
2011-09-06 13:20:51   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-09-05 13:56:22   667136   ----a-w-   c:\windows\system32\wininet.dll
2011-09-05 13:56:22   61952   ----a-w-   c:\windows\system32\tdc.ocx
2011-09-05 13:56:21   81920   ------w-   c:\windows\system32\ieencode.dll
2011-09-05 12:35:09   369664   ------w-   c:\windows\system32\html.iec
2011-08-17 13:49:54   138496   ----a-w-   c:\windows\system32\drivers\afd.sys
2011-08-12 10:51:26   26488   ----a-w-   c:\windows\system32\spupdsvc.exe
.
============= FINISH:  7:51:17.81 ===============


C. DDS 2

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/22/2010 1:27:25 PM
System Uptime: 10/24/2011 7:43:21 AM (0 hours ago)
.
Motherboard: Hewlett-Packard |  | 085Ch
Processor:               Intel(R) Pentium(R) 4 CPU 2.80GHz | XU1 PROCESSOR | 2793/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 22.712 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP45: 9/16/2011 9:24:24 AM - System Checkpoint
RP46: 9/19/2011 9:52:20 AM - Software Distribution Service 3.0
RP47: 9/20/2011 11:04:43 AM - System Checkpoint
RP48: 9/21/2011 8:04:16 AM - Software Distribution Service 3.0
RP49: 9/22/2011 12:10:34 PM - System Checkpoint
RP50: 9/26/2011 8:07:20 AM - System Checkpoint
RP51: 9/26/2011 1:13:48 PM - Installed Adobe Reader 9.4.0.
RP52: 9/28/2011 11:01:28 AM - System Checkpoint
RP53: 9/29/2011 11:54:44 AM - System Checkpoint
RP54: 9/29/2011 1:25:12 PM - Installed HP Standard Port Monitor
RP55: 9/29/2011 1:29:55 PM - Installed HP Standard Port Monitor
RP56: 9/29/2011 1:31:46 PM - Installed HP Standard Port Monitor
RP57: 9/30/2011 1:07:12 PM - Installed HP Standard Port Monitor
RP58: 9/30/2011 1:26:22 PM - Installed HP Standard Port Monitor
RP59: 9/30/2011 1:27:18 PM - Installed User Guide
RP60: 9/30/2011 1:27:25 PM - Installed Install Notes
RP61: 10/3/2011 9:51:19 AM - System Checkpoint
RP62: 10/4/2011 11:21:44 AM - System Checkpoint
RP63: 10/5/2011 12:07:29 PM - Installed %1 %2.
RP64: 10/5/2011 12:07:35 PM - Printer Driver Microsoft XPS Document Writer Installed
RP65: 10/5/2011 12:19:15 PM - Installed Songsmith
RP66: 10/7/2011 9:10:30 AM - Software Distribution Service 3.0
RP67: 10/10/2011 7:52:16 AM - Printer Driver Microsoft XPS Document Writer Installed
RP68: 10/10/2011 1:08:13 PM - Software Distribution Service 3.0
RP69: 10/11/2011 7:55:34 AM - Software Distribution Service 3.0
RP70: 10/11/2011 1:26:12 PM - Installed Microsoft Office Language Pack 2010 - Greek/Ελληνικά
RP71: 10/11/2011 1:32:08 PM - Printer Driver Send To Microsoft OneNote 2010 Driver Installed
RP72: 10/12/2011 10:14:12 AM - Uninstalled with Total Uninstall "Microsoft .NET Framework 3.0 Service Pack 2"
RP73: 10/12/2011 10:15:17 AM - Installed Microsoft Office Professional Plus 2010
RP74: 10/12/2011 10:40:30 AM - Uninstalled with Total Uninstall "Babylon toolbar on IE"
RP75: 10/12/2011 10:42:02 AM - Uninstalled with Total Uninstall "EasyDownloads - fastest downloads in two clicks!"
RP76: 10/13/2011 7:51:05 AM - Software Distribution Service 3.0
RP77: 10/13/2011 12:57:47 PM - Installed Windows XP KB942288-v3.
RP78: 10/13/2011 1:03:02 PM - Uninstalled with Total Uninstall "DownVision"
RP79: 10/19/2011 10:33:55 AM - Uninstalled with Total Uninstall "EasyDownloads - fastest downloads in two clicks!"
RP80: 10/20/2011 11:22:38 AM - Restore Operation
.
==== Installed Programs ======================
.
µTorrent
Κρεμάλα
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Audacity 1.2.6
Broadcom Management Programs
Click to Call with Skype
Complitly
Conduit Engine
Finale 2009
Finale 2011
Freecorder 5
Freecorder Toolbar
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
HP Color LaserJet CP4005
HP LaserJet Fonts
Install Notes
Intel(R) Extreme Graphics Driver
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.2_01
Kidspiration 3 IE
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2010
Microsoft Office Access MUI (Greek) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Excel MUI (Greek) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office Groove MUI (Greek) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office InfoPath MUI (Greek) 2010
Microsoft Office Language Pack 2010 - Greek/Ελληνικά
Microsoft Office O MUI (Greek) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office OneNote MUI (Greek) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office Outlook MUI (Greek) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint MUI (Greek) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (German) 2010
Microsoft Office Proof (Greek) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing (Greek) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Publisher MUI (Greek) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared MUI (Greek) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office SharePoint Designer MUI (Greek) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office Word MUI (Greek) 2010
Microsoft Office X MUI (Greek) 2010
Microsoft Software Update for Web Folders  (English) 14
Microsoft Software Update for Web Folders  (Greek) 14
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 6.0.2 (x86 en-US)
MSXML 6.0 Parser (KB925673)
RAR Password Recovery v1.1 RC16 (remove only)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2530548)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2586448)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Skype™ 5.3
Software Setup
Songsmith
SoundMAX
SUPERAntiSpyware Professional
Text to Speech XP
Total Uninstall 5.2.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2616676)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Guide
VLC media player 1.1.0
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
10/21/2011 1:43:13 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the KMService service to connect.
10/21/2011 1:43:13 PM, error: Service Control Manager [7000]  - The SoundMAX Agent Service service failed to start due to the following error:  Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
10/21/2011 1:43:13 PM, error: Service Control Manager [7000]  - The Pml Driver HPZ12 service failed to start due to the following error:  Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
10/21/2011 1:43:13 PM, error: Service Control Manager [7000]  - The KMService service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
10/20/2011 8:11:18 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
10/20/2011 8:11:18 AM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:  A device attached to the system is not functioning.
10/20/2011 8:11:18 AM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
10/20/2011 8:11:18 AM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
10/20/2011 8:11:18 AM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
10/20/2011 8:11:15 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/20/2011 8:11:15 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/20/2011 7:49:56 AM, error: Service Control Manager [7023]  - The Network Location Awareness (NLA) service terminated with the following error:  The specified procedure could not be found.
10/20/2011 7:49:48 AM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Altiris Client Service service to connect.
10/20/2011 7:49:48 AM, error: Service Control Manager [7000]  - The Altiris Client Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
10/20/2011 7:49:19 AM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'netbt.sys' on the volume 'HarddiskVolume1'.  It has stopped monitoring the volume.
10/20/2011 11:59:57 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Fips intelppm SASDIFSV SASKUTIL
10/20/2011 11:17:41 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
.
==== End Of File ===========================


Logged

Offline DR M

  • Jr. Member
  • **
  • Posts: 90
Re: INFECTED PC NO2
« Reply #1 on: October 24, 2011, 08:59:12 AM »
I have made a combofix scan. The first time, it asked me about recovery console and I installed it. It then made a restart, but combofix did not started and no log was pop up. So I run combofix again, and after the restart the following log pop up:

COMBOFIX LOG REPORT:

ComboFix 11-10-21.05 - Administrator 10/24/2011   8:09.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1253.30.1033.18.1527.1135 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Local Settings\Application Data\b706ff6c
c:\documents and settings\Administrator\Local Settings\Application Data\b706ff6c\@
c:\documents and settings\Administrator\Local Settings\Application Data\b706ff6c\U\80000000.@
c:\documents and settings\Administrator\Local Settings\Application Data\b706ff6c\U\800000cb.@
c:\documents and settings\Administrator\Local Settings\Application Data\b706ff6c\X
c:\documents and settings\Administrator\Local Settings\Application Data\promo.exe
c:\documents and settings\Administrator\Local Settings\Application Data\Setup.exe
c:\program files\messenger\msmsgsin.exe
c:\program files\msn\msncorefiles\custdial.dll
c:\program files\msn\msncorefiles\logonmgr.dll
c:\windows\
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\
c:\windows\system32\drivers\fad.sys
c:\windows\tsoc.log
.
Infected copy of c:\windows\system32\drivers\usbport.sys was found and disinfected
Restored copy from - The cat found it :)
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_b706ff6c
.
.
(((((((((((((((((((((((((   Files Created from 2011-09-24 to 2011-10-24  )))))))))))))))))))))))))))))))
.
.
2011-10-19 07:29 . 2011-10-19 07:29   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Babylon
2011-10-19 07:29 . 2011-10-19 07:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Babylon
2011-10-19 07:29 . 2011-10-19 07:29   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Babylon
2011-10-12 07:25 . 2011-10-21 08:12   8192   ----a-w-   c:\windows\system32\srvany.exe
2011-10-12 07:25 . 2011-10-21 07:44   155648   ----a-w-   c:\windows\KMService.exe
2011-10-12 07:19 . 2011-10-12 07:19   --------   d-----w-   c:\program files\Microsoft Synchronization Services
2011-10-12 07:19 . 2011-10-12 07:19   --------   d-----w-   c:\program files\Microsoft.NET
2011-10-12 07:19 . 2011-10-12 07:19   --------   d-----w-   c:\program files\Microsoft SQL Server Compact Edition
2011-10-11 10:27 . 2011-10-11 10:27   --------   d-----w-   c:\program files\Microsoft Visual Studio 8
2011-10-10 10:16 . 2011-10-10 10:16   --------   d-----w-   c:\windows\system32\LogFiles
2011-10-07 06:14 . 2011-10-07 06:14   --------   d-----w-   C:\45715f4ec0da17e208362f20e593
2011-10-05 09:24 . 2011-10-05 09:24   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft_Research
2011-10-05 09:24 . 2011-10-05 09:24   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Plogue
2011-10-05 09:24 . 2011-10-05 09:24   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Songsmith
2011-10-05 09:19 . 2011-10-05 09:22   --------   d-----w-   c:\program files\Songsmith
2011-10-05 09:08 . 2011-10-07 06:14   --------   d-----w-   c:\windows\system32\XPSViewer
2011-10-05 09:07 . 2011-10-05 09:07   --------   d-----w-   c:\program files\Reference Assemblies
2011-10-05 09:07 . 2008-07-06 12:06   89088   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-10-05 09:07 . 2006-06-29 10:07   14048   ------w-   c:\windows\system32\spmsg2.dll
2011-10-04 09:31 . 2011-10-04 09:31   --------   d-----w-   c:\program files\uTorrent
2011-10-04 09:31 . 2011-10-05 08:58   --------   d-----w-   c:\documents and settings\Administrator\Application Data\uTorrent
2011-10-04 09:31 . 2011-10-04 09:31   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\uTorrent
2011-09-30 07:41 . 2011-09-30 07:41   --------   d-----w-   c:\program files\Κρεμάλα
2011-09-30 07:41 . 2011-09-30 07:41   --------   d-----w-   c:\windows\Κρεμάλα
2011-09-29 10:26 . 2011-09-30 10:27   --------   d-----w-   c:\program files\Hewlett-Packard
2011-09-29 10:25 . 2006-04-25 03:07   69120   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43e.DLL
2011-09-29 10:25 . 2006-05-31 10:03   323584   ----a-r-   c:\windows\system32\hpbicoin.dll
2011-09-29 10:25 . 2011-09-29 10:25   --------   dc----w-   c:\windows\system32\DRVSTORE
2011-09-28 07:46 . 2011-09-28 07:46   --------   d-----w-   c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2011-09-26 10:13 . 2011-09-26 10:14   --------   d-----w-   c:\program files\Common Files\Adobe
2011-09-26 10:13 . 2011-09-26 10:15   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-09-26 09:26 . 2011-09-26 09:26   --------   d-----w-   c:\program files\Intelore
2011-09-26 08:41 . 2011-09-26 08:41   220160   ------w-   c:\windows\system32\dllcache\oleacc.dll
2011-09-26 08:41 . 2011-09-26 08:41   20480   ------w-   c:\windows\system32\dllcache\oleaccrc.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 08:41 . 2008-07-29 16:59   611328   ----a-w-   c:\windows\system32\uiautomationcore.dll
2011-09-26 08:41 . 2001-08-18 05:36   220160   ----a-w-   c:\windows\system32\oleacc.dll
2011-09-26 08:41 . 2001-08-18 05:35   20480   ----a-w-   c:\windows\system32\oleaccrc.dll
2011-09-16 09:48 . 2011-05-26 08:51   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2002-08-29 10:40   599040   ----a-w-   c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2002-08-29 09:14   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-09-05 13:56 . 2002-08-29 10:41   667136   ----a-w-   c:\windows\system32\wininet.dll
2011-09-05 13:56 . 2001-08-18 05:35   61952   ----a-w-   c:\windows\system32\tdc.ocx
2011-09-05 13:56 . 2011-01-21 06:10   81920   ------w-   c:\windows\system32\ieencode.dll
2011-09-05 12:35 . 2011-01-21 06:10   369664   ------w-   c:\windows\system32\html.iec
2011-08-17 13:49 . 2002-08-29 09:01   138496   ----a-w-   c:\windows\system32\drivers\afd.sys
2011-08-12 10:51 . 2011-01-21 06:05   26488   ----a-w-   c:\windows\system32\spupdsvc.exe
2011-09-03 06:01 . 2011-09-16 09:40   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFree.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 13:54   175912   ----a-w-   c:\program files\Freecorder\prxtbFree.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 13:54   175912   ----a-w-   c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFree.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFree.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-20 32873]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 485376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 11:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 03:42   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-06-15 12:02   15141768   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10w_Plugin.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Complitly\\InstTracker.exe"=
"c:\\Program Files\\Freecorder\\FCVideo.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 7:27 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2011 12:55 AM 74480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2011 12:35 PM 136176]
S2 KMService;KMService;c:\windows\system32\srvany.exe [10/12/2011 10:25 AM 8192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2011 12:35 PM 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc790c11e5e7f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-22 09:35]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-22 09:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1060933
mStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.10.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\966rmx99.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-24 08:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.
- - - - - - - > 'explorer.exe'(3000)
c:\documents and settings\Administrator\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-10-24  08:21:02 - machine was rebooted
ComboFix-quarantined-files.txt  2011-10-24 05:21
.
Pre-Run: 22,636,158,976 bytes free
Post-Run: 22,728,814,592 bytes free
.
- - End Of File - - 75A26516E01A25DD13899536F467D6CA


And then an ESSET online scan:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=47965acecdd8514aa4219bfa3070086d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-10-24 07:03:01
# local_time=2011-10-24 10:03:01 (+0200, GTB Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 195 195 0 0
# scanned=67769
# found=26
# cleaned=0
# scan_time=3072
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\promo.exe.vir   Win32/TrojanDownloader.Adload.NIU trojan (unable to clean)   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\b706ff6c\X.vir   Win32/Sirefef.DD trojan (unable to clean)   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\ .vir   a variant of Win32/HackKMS.A application (unable to clean)   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir   a variant of Win32/Sirefef.CH trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP73\A0025735.exe   a variant of Win32/HackKMS.A application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP73\A0026570.exe   a variant of Win32/HackKMS.A application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP79\A0027088.exe   Win32/TrojanDownloader.Adload.NIW trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP79\A0027097.exe   a variant of Win32/HackKMS.A application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP79\A0029104.sys   a variant of Win32/Rootkit.Kryptik.EL trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP79\A0029105.ini   a variant of Win32/Sirefef.CH trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0030147.sys   a variant of Win32/Rootkit.Kryptik.EL trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0030148.ini   a variant of Win32/Sirefef.CH trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0031167.sys   a variant of Win32/Rootkit.Kryptik.EL trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0031168.ini   a variant of Win32/Sirefef.CH trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0031188.sys   a variant of Win32/Rootkit.Kryptik.EL trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0031189.ini   a variant of Win32/Sirefef.CH trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0032206.sys   a variant of Win32/Rootkit.Kryptik.EL trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0032207.ini   a variant of Win32/Sirefef.CH trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0032234.exe   a variant of Win32/Injector.BBZ trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0032239.exe   a variant of Win32/Injector.BBZ trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0032244.exe   a variant of Win32/Injector.BBZ trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0032245.exe   a variant of Win32/Injector.BBZ trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0033234.sys   a variant of Win32/Rootkit.Kryptik.EL trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP80\A0033235.ini   a variant of Win32/Sirefef.CH trojan (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP81\A0034340.exe   Win32/TrojanDownloader.Adload.NIU trojan (unable to clean)   00000000000000000000000000000000   I
C:\WINDOWS\system32\drivers\netbt.sys   a variant of Win32/Rootkit.Kryptik.EL trojan (unable to clean)   00000000000000000000000000000000   I


I AM WAITING FOR YOUR REPLY!
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: INFECTED PC NO2
« Reply #2 on: October 24, 2011, 02:34:15 PM »
Hi, DR M.

I will take a closer look at your logs later as I will be going out for a while.  In the meantime, please uninstall Java 2 Runtime Environment, SE v1.4.2_01.  If you need Java on this computer like the other, download and install Java SE Runtime Environment 6u27.   

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.   

Also, what antivirus software/firewall were you using on this machine? 
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline DR M

  • Jr. Member
  • **
  • Posts: 90
Re: INFECTED PC NO2
« Reply #3 on: October 24, 2011, 06:36:57 PM »
Quote from: Corrine on October 24, 2011, 02:34:15 PM
Hi, DR M.

I will take a closer look at your logs later as I will be going out for a while.  In the meantime, please uninstall Java 2 Runtime Environment, SE v1.4.2_01.  If you need Java on this computer like the other, download and install Java SE Runtime Environment 6u27.   

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.   

Also, what antivirus software/firewall were you using on this machine?




This pc, unfortunately is not mine, so I cannot work on it now. Tomorrow morning I will uninstall java. The pc has no antivirus. Only Super antispyware, which cannot run, because of the viruses, I guess...
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: INFECTED PC NO2
« Reply #4 on: October 24, 2011, 11:06:00 PM »
Hi, MR M.

First things first, if is not advisable to run ComboFix unless under the supervision of a trained analyst.  Using it in the wrong circumstances can result in an unrepairable situation.  You can uninstall it now.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


Now that we've gotten past that, I am sorry, MR M, but we have a serious problem here.  As I understand this is not your computer, you would not likely have known.  There is evidence of pirated software on the computer, including both a keygen and a password recovery tool.

My recommendation to you is to advise the computer owner to do a clean install, including a firewall and an antivirus software.  Use of P2P software and cracks is what got the computer so severely infected. 

Use of keygens and the like is just plain stealing.  In addition, although cracked/warez versions of programs sound "good" and "cheap", they can cause all sorts of headaches and, as shown in the logs, damage to the computer.  No reputable forum will support any method of cracking, warez, workarounds, providing any methods, tools, or posting of links designed for this express purpose.

There are people who have spent a great deal of money on developing and testing hardware and software, marketing and distributing it, and then on education and support for it. They have spent long, tedious, difficult and brain-numbing days/nights on their endeavor. They are attempting to make an honest living and feed their families.

We will not support the thieves who rip them off and cheat them out of the fruits of their labor.

This topic is closed.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline winchester73

  • Administrator
  • Hero Member
  • *****
  • Posts: 5123
  • Half a bubble off plumb
Re: INFECTED PC NO2
« Reply #5 on: October 25, 2011, 01:17:22 AM »
Quote from: Corrine on October 24, 2011, 11:06:00 PM
although cracked/warez versions of programs sound "good" and "cheap", they can cause all sorts of headaches and, as shown in the logs, damage to the computer.  No reputable forum will support any method of cracking, warez, workarounds, providing any methods, tools, or posting of links designed for this express purpose.

There are people who have spent a great deal of money on developing and testing hardware and software, marketing and distributing it, and then on education and support for it. They have spent long, tedious, difficult and brain-numbing days/nights on their endeavor. They are attempting to make an honest living and feed their families.

We will not support the thieves who rip them off and cheat them out of the fruits of their labor.

Amen  :rose:
Logged
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member


Pages: [1]   Go Up
« previous next »