TechSpot

[Closed] TDL3/Allurian and maybe more

By fopetesl
Mar 10, 2011
  1. I have an ASUS M2V box with 2GB RAM and two 640GB SATA drives.

    Note well: I have two Windows XP 640GB hard drives mirrored (backed up) every week.

    The other day I suddenly got a spew of pop up error windows too fast to read and I lost Explorer so tried to reboot via Task Manager.
    From then on however I could only get into Safe Mode regardless of what choice I made when booting via F8. i.e. boot 'normally' end up in safe mode _but_ with a Microsoft(?) warning about repairing the hard drive and downloading the program below - no program link BTW.

    Uh. Oh! I thought ... a virus. Maybe.
    So since I couldn't do anything I tried a repair from the Master CD.
    First time I got a constant BSOD with dumping memory message.
    Second time repair froze half way through installing hardware.
    Copy of Master CD - maybe the original is broken.
    Repair .. auto reboot then I get a constant loop of Windows loading bar, blank screen, reboot...

    So I ran a hard drive surface check, all 640GB of it. No bad sectors found.

    The mirror copy hard drive works fine. No hardware issues, (where am I writing this from?).

    However this drive has the locked in Google Redirect virus plus possibly more. Maybe why my 'first' hard drive failed?
    Note the redirect virus is not there in Safe mode.

    So to attack one(?) problem at a time I followed the "UPDATED-8" instructions.

    First the MalwareBytes log:
    ====================== Malwarebytes Log begin ===================
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6001

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    09/03/2011 18:00:08
    mbam-log-2011-03-09 (18-00-02).txt

    Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|)
    Objects scanned: 681199
    Time elapsed: 1 hour(s), 7 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 34

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    f:\documents and settings\Ye Boss\application data\thinstall\microsoft office professional edition 2003\1000000600002i\svchost.exe (Rootkit.Dropper) -> No action taken.
    f:\documents and settings\Ye Boss\application data\thinstall\microsoft office professional edition 2003\1000000b00002i\rundll32.exe (Rootkit.Dropper) -> No action taken.
    i:\program files\webposition\upgrade\damn_wpgold1309.exe (Trojan.Agent.CK) -> No action taken.
    k:\documents and settings\Ye Boss\start menu\Programs\Startup\igfxtray.exe (Spyware.Passwords.XGen) -> No action taken.
    k:\documents and settings\Ye Boss\application data\ntuser.dat (VirTool.Obfuscator) -> No action taken.
    k:\documents and settings\Ye Boss\local settings\Temp\cdfss (Rootkit.Agent) -> No action taken.
    k:\documents and settings\Ye Boss\local settings\Temp\internetexplorerupdate.exe (Trojan.Dropper) -> No action taken.
    k:\documents and settings\Ye Boss\local settings\Temp\Lfz.exe (Trojan.Agent) -> No action taken.
    ====================== Malwarebytes Log end ===================

    I'm puzzled with the "no action taken" and where some of the programs appeared from.

    Now, GMER. Could not get it to complete. This morning after three hours I had a bunch of identical window pop up and the system almost locked up - no mouse but Tab still worked though screen capture would not or the "window" key. The messages were to the effect that the system was out of resources. Because I asked it to scan both hard drives?
    BTW this was my second attempt - yesterday I ran in Safe mode without networking with the same result.
    So I hand copied the screen messages:
    ====================== GMER messages begin ====================
    SSDT pxsecsys(Prevx Realtime Analysis)\Prevx ZwTerminateProcess (0xB8 10A680)
    .text F:\Windows\system32\DRIVERS\nv4_mini.sys Section is writeable (oxB6C82830, 0x5 ...
    Device ACPI.sys(ACPI Driver for NT\mocroso ...
    AttachedD.. \Filesystem\Fastfat\Fat fltmgr.sys(Microsoft Filesystem Filter ...
    Reg HKCU\Software\Microsoft\Windows\CurretnVersion\Shell Extensio ...
    Reg HKCU\Software\Microsoft\Windows\CurretnVersion\Shell Extensio ... 0x6A 0x61 0x6D 0x67 ...
    Reg HKCU\Software\Microsoft\Windows\CurretnVersion\Shell Extensio ... 0x6A 0x61 0x6D 0x67 ...
    ====================== GMER messages end ====================
    Then, whilst copying the above another window popped up:
    (X) Windows was unable to save all the data for the file \Device\HarddiskVolume2\$mft. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere. [OK]
    * Could not [OK] * Tab wouldn't highlight this icon.
    And. Another window behind this one popped up telling me this "computer is locked..."

    OK. Now the dds.scr logs:
    1) DDS.TXT
    .
    DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
    Run by Ye Boss at 14:27:22.67 on 10/03/2011
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1520 [GMT 0:00]
    .
    AV: Prevx 3.0 *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D901}
    AV: Prevx 2.0 *Disabled/Updated* {557C3342-BC52-4508-AC25-4441BDF5C04C}
    .
    ============== Running Processes ===============
    .
    F:\WINDOWS\system32\savedump.exe
    F:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    F:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    F:\WINDOWS\Explorer.EXE
    F:\Program Files\Mozilla Firefox\firefox.exe
    F:\Program Files\Mozilla Firefox\plugin-container.exe
    G:\Program Files\KeePass Password Safe 2\KeePass.exe
    F:\Documents and Settings\Ye Boss\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: SFCDisable=-99 (0xffffff9d)
    BHO: URLDetector Class: {55ea1964-f5e4-4d6a-b9b2-125b37655fcb} - f:\documents and settings\all users\application data\prevx\pxbho.dll
    BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
    BHO: {C6CEAC32-D45C-11D4-94AF-0050BABD5FD6} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    {d593de91-7b41-45c2-830e-e9a99ab142aa}
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [SarbyxTrayClock] f:\program files\sarbyxtrayclock\trayclock.exe
    mRun: [ClocX] f:\program files\clocx\ClocX.exe
    mRun: [Atomic Time Synchronizer] "g:\program files\atsync\TimeSync.exe" /auto
    mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
    mRun: [KeePass 2 PreLoad] "g:\program files\keepass password safe 2\KeePass.exe" --preload
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
    dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
    StartupFolder: f:\docume~1\yeboss~1\startm~1\programs\startup\mailwa~1.lnk - f:\program files\mailwasher\MailWasher.exe
    uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: En&queue current page with Bulk Image Downloader - file://f:\program files\bulk image downloader\iemenu\iebidqueue.htm
    IE: Enqueue link target with Bulk Ima&ge Downloader - file://f:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
    IE: Open &link target with Bulk Image Downloader - file://f:\program files\bulk image downloader\iemenu\iebidlink.htm
    IE: Open current page with Bulk I&mage Downloader - file://f:\program files\bulk image downloader\iemenu\iebid.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    TCP: {0927A573-845C-4B80-9108-9BD2FA005E1D} = 195.74.113.58,195.74.113.62
    TCP: {72049C5E-31B0-4E24-A4F7-527C9EED1463} = 8.8.8.8,8.8.4.4,154.32.109.18,154.32.105.18
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
    Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - f:\program files\coreftp\pftpns.dll
    AppInit_DLLs: f:\progra~1\dvdgho~1\DVDGHO~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\wpdshserviceobj.dll
    LSA: Notification Packages = scecli wiesal.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "f:\program files\common files\lightscribe\LSRunOnce.exe"
    mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - f:\program files\pixiepack codec pack\InstallerHelper.exe
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - f:\docume~1\yeboss~1\applic~1\mozilla\firefox\profiles\b1gs52tz.default\
    FF - prefs.js: browser.search.selectedEngine - Chambers (UK)
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - plugin: f:\documents and settings\ye boss\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: f:\documents and settings\ye boss\local settings\application data\yahoo!\browserplus\2.9.2\plugins\npybrowserplus_2.9.2.dll
    FF - plugin: f:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: f:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: f:\program files\logitech\harmony remote driver\NprtHarmonyPlugin.dll
    FF - plugin: f:\program files\mozilla firefox\plugins\npagent.dll
    FF - plugin: f:\program files\mozilla firefox\plugins\npBBCPlugin.dll
    FF - plugin: f:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: g:\program files\netscape6\nppl3260.dll
    FF - plugin: g:\program files\netscape6\nprjplug.dll
    FF - plugin: g:\program files\netscape6\nprpjplug.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
    FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
    FF - Ext: KeeFox: keefox@chris.tomlinson - %profile%\extensions\keefox@chris.tomlinson
    FF - Ext: MozRepl: mozrepl@hyperstruct.net - %profile%\extensions\mozrepl@hyperstruct.net
    FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
    FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 pxscan;pxscan;f:\windows\system32\drivers\pxscan.sys [2009-5-21 22024]
    R0 pxsec;pxsec;f:\windows\system32\drivers\pxsec.sys [2009-5-21 27656]
    R0 xfilt;VIA SATA IDE Hot-plug Driver;f:\windows\system32\drivers\xfilt.sys [2007-1-27 11264]
    R1 Ext2fs;Ext2fs;f:\windows\system32\drivers\ext2fs.sys [2007-1-30 132736]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;f:\windows\system32\drivers\atl01_xp.sys [2007-1-27 35712]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;f:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
    S1 IfsDrives;IfsDrives;f:\windows\system32\drivers\IfsDrives.sys [2007-1-30 4608]
    S2 AtSync;Atomic Time Synchronizer;g:\program files\atsync\ats.exe [2009-11-6 433152]
    S2 CSIScanner;CSIScanner;f:\program files\prevx\prevx.exe [2009-5-21 4368952]
    S2 gupdate;Google Update Service (gupdate);f:\program files\google\update\GoogleUpdate.exe [2009-7-30 133104]
    S2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;f:\windows\system32\plcndis5.sys [2004-5-17 17280]
    S2 SSPORT;SSPORT;\??\f:\windows\system32\drivers\ssport.sys --> f:\windows\system32\drivers\SSPORT.sys [?]
    S3 Asushwio;Asushwio;f:\windows\system32\drivers\ASUSHWIO.SYS [2006-11-2 5824]
    S3 ATICDSDr;ATICDSDr;\??\f:\docume~1\yeboss~1\locals~1\temp\aticdsdr.sys --> f:\docume~1\yeboss~1\locals~1\temp\ATICDSDr.sys [?]
    S3 AtiDCM;AtiDCM;\??\f:\documents and settings\ye boss\local settings\temp\atidcmxx.sys --> f:\documents and settings\ye boss\local settings\temp\atidcmxx.sys [?]
    S3 GenericMount;Generic Mount Driver;f:\windows\system32\drivers\genericmount.sys --> f:\windows\system32\drivers\GenericMount.sys [?]
    S3 NPF;NetGroup Packet Filter Driver;f:\windows\system32\drivers\npf.sys [2007-6-21 32512]
    S3 PAC207;Trust WB-1200p Mini Webcam;f:\windows\system32\drivers\PFC027.sys [2005-2-24 162176]
    S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\f:\windows\system32\plcmpr5.sys --> f:\windows\system32\PLCMPR5.SYS [?]
    S3 PsSdk30;PsSdk30;\??\f:\windows\system32\drivers\pssdk30.drv --> f:\windows\system32\drivers\PsSdk30.drv [?]
    S3 SiwvidStart;SiwvidStart;\??\f:\docume~1\yeboss~1\locals~1\temp\_istmp4.dir\_istmp0.dir\siwvid.sys --> f:\docume~1\yeboss~1\locals~1\temp\_istmp4.dir\_istmp0.dir\siwvid.sys [?]
    .
    =============== File Associations ===============
    .
    JSEFile=NOTEPAD.EXE %1
    txtfile="f:\program files\notepadbdv\Notepad.exe" "%1"
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1
    regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
    .
    =============== Created Last 30 ================
    .
    2011-03-08 12:37:00 114944 ----a-r- f:\windows\system32\drivers\viamraid.sys
    2011-03-08 09:17:42 12872 ----a-w- f:\windows\system32\bootdelete.exe
    2011-03-08 09:12:14 16968 ----a-w- f:\windows\system32\drivers\hitmanpro35.sys
    2011-03-08 09:12:03 -------- d-----w- f:\docume~1\alluse~1\applic~1\Hitman Pro
    .
    ==================== Find3M ====================
    .
    2011-01-26 15:54:42 79360 --sha-r- f:\windows\system32\wmsdmoeu.dll
    2011-01-26 15:49:47 74703 ----a-w- f:\windows\system32\mfc45.dll
    2011-01-15 16:54:32 33019 ----a-w- f:\windows\system32\CoreAAC-uninstall.exe
    2011-01-15 15:09:08 389120 ----a-w- f:\windows\system32\ACTSKN43.OCX
    .
    ============= FINISH: 14:27:38.56 ===============

    2) ATTACH.TXT but it says at the top:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    I have run previously TFC, Goored & HitmanPro in that order without success.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the problem. your commentary was interesting, but I am kind of glad you got to this point:
    It is very important that you observe the following:
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ===============================
    The reason this show is because you didn't check the line for removal:
    Be sure that everything is checked, and click Remove Selected.
    Please go back to Malwarebytes, update and rescan with this line checked. Include the new log in your next reply.
    ====================================
    Please follow my directions completely. Let me be the one to review the information in the logs, which you will paste in the reply, in their entirety, including all headers. Please don't take excerpts of what you think is relevant- that's my job!
    ====================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===================================
    You have multiple infections. One is a Worm that disables Windows File Protection (WFP) and the System File Checker I will do my best to help you clean them, but it's important that you don't do things in the system that will cause the logs to change>>>>unless I instruct you to do so. Do not act on any message you get onscreen. Report it to me. The infections you have will give you false alerts.
     
  3. fopetesl

    fopetesl TS Rookie Topic Starter

    Safe mode or not?

    Hi, bobbye. Thanks for your quick reply.
    One question though. You don't mention (if you did my alzheimer's is kicking in) whether to run in Safe mode with(out) networking.
    Until this part is resolved I'm running in Safe mode with networking.

    Update 10:14 9th March - I first looked at Malwarebytes Quarantine tab and all the files not actioned yesterday were there so I deleted and after upgrading ran the scan again which came up with another(?) 30+ infections. I did tick the remove all and saved the final log. Guess what - none were actioned!
    So I again went to Quarantined and deleted all. I'm currently running the scan again...

    Update 10:55 9th March - Malwarebytes now cames out clean.
    ====================== Malwarebytes log begins ===================

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6017

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 7.0.5730.13

    11/03/2011 10:52:45
    mbam-log-2011-03-11 (10-52-45).txt

    Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|K:\|)
    Objects scanned: 650482
    Time elapsed: 38 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ====================== Malwarebytes log ends ===================

    Now to run ESET ...
    Update 11:20 9th March - ESET: Using Firefox I downloaded installer.
    Run program: [ ] Remove found threats; [x] Scan unwanted applications; [ ] Enable Anti-Stealth technology
    2nd Step - Download virus signature database - Unexpected Error 101
    Close Firefox, open Internet Explorer. Run ESET with same boxes (un)ticked. Same result - Unexpected Error 101

    Will await further instruction before proceeding.....

    Sorry, call me impatient. I went on to run Combo fix. It came up with a message telling me "Prevx 3.0 is running" but I couldn't find it in Task Manager.
    Prevx 3 will not run in Safe Mode BTW.
    Combofix Log:
    ==================== Combofix log begins ================
    ComboFix 11-03-11.02 - Ye Boss 12/03/2011 12:04:45.1.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1728 [GMT 0:00]
    Running from: g:\downloads\ComboFix.exe
    AV: Prevx 2.0 *Disabled/Updated* {557C3342-BC52-4508-AC25-4441BDF5C04C}
    AV: Prevx 3.0 *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D901}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    f:\documents and settings\Ye Boss\Application Data\chrtmp
    f:\documents and settings\Ye Boss\Application Data\FFSJ
    f:\documents and settings\Ye Boss\Application Data\FFSJ\FFSJ.cfg
    f:\documents and settings\Ye Boss\Application Data\inst.exe
    f:\documents and settings\Ye Boss\Favorites\Thumbs.db
    f:\windows\system32\_000003_.tmp.dll
    f:\windows\system32\_000006_.tmp.dll
    f:\windows\system32\_000007_.tmp.dll
    f:\windows\system32\_000008_.tmp.dll
    f:\windows\system32\_000012_.tmp.dll
    f:\windows\system32\_000025_.tmp.dll
    f:\windows\system32\Ijl11.dll
    f:\windows\system32\images
    f:\windows\system32\images\i1.gif
    f:\windows\system32\images\i2.gif
    f:\windows\system32\images\i3.gif
    f:\windows\system32\images\j1.gif
    f:\windows\system32\images\j2.gif
    f:\windows\system32\images\j3.gif
    f:\windows\system32\images\jj1.gif
    f:\windows\system32\images\jj2.gif
    f:\windows\system32\images\jj3.gif
    f:\windows\system32\images\l1.gif
    f:\windows\system32\images\l2.gif
    f:\windows\system32\images\l3.gif
    f:\windows\system32\images\pix.gif
    f:\windows\system32\images\t1.gif
    f:\windows\system32\images\t2.gif
    f:\windows\system32\images\up1.gif
    f:\windows\system32\images\up2.gif
    f:\windows\system32\images\w1.gif
    f:\windows\system32\images\w11.gif
    f:\windows\system32\images\w2.gif
    f:\windows\system32\images\w3.gif
    f:\windows\system32\images\w3.jpg
    f:\windows\system32\images\wt1.gif
    f:\windows\system32\images\wt2.gif
    f:\windows\system32\images\wt3.gif
    f:\windows\system32\midas.dll
    f:\windows\system32\muzapp.exe
    f:\windows\system32\SysInfo.dll
    f:\windows\system32\zlibwapi.dll
    f:\windows\UA000106.DLL
    f:\windows\w32dasm8.ini
    f:\windows\XSxS
    G:\install.exe
    J:\install.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_ANTIPOL
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-12 to 2011-03-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-11 11:10 . 2011-03-11 11:10 -------- d-----w- f:\program files\ESET
    2011-03-08 12:37 . 2009-05-22 02:41 114944 ----a-r- f:\windows\system32\drivers\viamraid.sys
    2011-03-08 09:17 . 2011-03-08 09:17 12872 ----a-w- f:\windows\system32\bootdelete.exe
    2011-03-08 09:12 . 2011-03-08 09:12 16968 ----a-w- f:\windows\system32\drivers\hitmanpro35.sys
    2011-03-08 09:12 . 2011-03-08 09:17 -------- d-----w- f:\documents and settings\All Users\Application Data\Hitman Pro
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-26 15:49 . 1999-07-05 10:00 74703 ----a-w- f:\windows\system32\mfc45.dll
    2011-01-15 16:54 . 2011-01-15 16:54 33019 ----a-w- f:\windows\system32\CoreAAC-uninstall.exe
    2011-01-15 15:09 . 2010-04-08 11:01 389120 ----a-w- f:\windows\system32\ACTSKN43.OCX
    2010-12-20 18:09 . 2011-02-07 12:53 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2011-02-07 12:53 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
    .
    .
    ------- Sigcheck -------
    .
    [-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . f:\windows\system32\drivers\tcpip.sys
    [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . f:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    .
    [-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . f:\windows\system32\sfcfiles.dll
    .
    [-] 2007-07-18 . 06ABBA5C28F663DF5C0A59FFB5B765F2 . 42368 . . [5.1.2600.3180] . . f:\windows\system32\drivers\agp440.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SarbyxTrayClock"="f:\program files\SarbyxTrayClock\trayclock.exe" [2006-10-19 60928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ClocX"="f:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
    "Atomic Time Synchronizer"="g:\program files\AtSync\TimeSync.exe" [2009-03-15 515584]
    "NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
    "KeePass 2 PreLoad"="g:\program files\KeePass Password Safe 2\KeePass.exe" [2010-09-05 1655296]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_2"="shell32" [X]
    "tscuninstall"="f:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
    .
    f:\documents and settings\Ye Boss\Start Menu\Programs\Startup\AutorunsDisabled
    MailWasherPro.lnk - f:\program files\MailWasher\MailWasher.exe [2006-11-16 5661184]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=f:\progra~1\DVDGHO~1\DVDGhostAppInit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Philips Intelligent Agent"="f:\philips_pbdv1601p_b3.7_upgrade\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SunJavaUpdateSched"="f:\program files\Java\jre1.5.0_09\bin\jusched.exe"
    "TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "f:\\Program Files\\uTorrent\\UTORRENT.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "g:\\Program Files\\AtSync\\TimeSync.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php\\php-cli.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php5\\php-cgi.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php5\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php53\\php-cgi.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php53\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\Srv.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\debugger\\DbgListener.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\phped.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "f:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "f:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
    "8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
    "8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
    "8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
    "8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
    "8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
    "8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
    "8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
    "8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
    "8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
    "5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R0 pxscan;pxscan;f:\windows\system32\drivers\pxscan.sys [21/05/2009 11:45 22024]
    R0 pxsec;pxsec;f:\windows\system32\drivers\pxsec.sys [21/05/2009 11:45 27656]
    R1 Ext2fs;Ext2fs;f:\windows\system32\drivers\ext2fs.sys [30/01/2007 13:08 132736]
    R1 IfsDrives;IfsDrives;f:\windows\system32\drivers\IfsDrives.sys [30/01/2007 13:08 4608]
    R2 AtSync;Atomic Time Synchronizer;g:\program files\AtSync\ats.exe [06/11/2009 15:39 433152]
    R2 CSIScanner;CSIScanner;f:\program files\Prevx\prevx.exe [21/05/2009 11:45 4368952]
    R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;f:\windows\system32\plcndis5.sys [17/05/2004 10:21 17280]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;f:\windows\system32\drivers\atl01_xp.sys [27/01/2007 09:28 35712]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;f:\windows\system32\drivers\nvoclock.sys [15/09/2009 13:59 38248]
    S2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [30/07/2009 17:20 133104]
    S2 SSPORT;SSPORT;\??\f:\windows\system32\Drivers\SSPORT.sys --> f:\windows\system32\Drivers\SSPORT.sys [?]
    S3 Asushwio;Asushwio;f:\windows\system32\drivers\ASUSHWIO.SYS [02/11/2006 15:04 5824]
    S3 ATICDSDr;ATICDSDr;\??\f:\docume~1\YEBOSS~1\LOCALS~1\Temp\ATICDSDr.sys --> f:\docume~1\YEBOSS~1\LOCALS~1\Temp\ATICDSDr.sys [?]
    S3 AtiDCM;AtiDCM;\??\f:\documents and settings\Ye Boss\Local Settings\Temp\atidcmxx.sys --> f:\documents and settings\Ye Boss\Local Settings\Temp\atidcmxx.sys [?]
    S3 GenericMount;Generic Mount Driver;f:\windows\system32\DRIVERS\GenericMount.sys --> f:\windows\system32\DRIVERS\GenericMount.sys [?]
    S3 NPF;NetGroup Packet Filter Driver;f:\windows\system32\drivers\npf.sys [21/06/2007 19:55 32512]
    S3 PAC207;Trust WB-1200p Mini Webcam;f:\windows\system32\drivers\PFC027.sys [24/02/2005 11:29 162176]
    S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\f:\windows\system32\PLCMPR5.SYS --> f:\windows\system32\PLCMPR5.SYS [?]
    S3 PsSdk30;PsSdk30;\??\f:\windows\system32\Drivers\PsSdk30.drv --> f:\windows\system32\Drivers\PsSdk30.drv [?]
    S3 SiwvidStart;SiwvidStart;\??\f:\docume~1\YEBOSS~1\LOCALS~1\Temp\_ISTMP4.DIR\_ISTMP0.DIR\siwvid.sys --> f:\docume~1\YEBOSS~1\LOCALS~1\Temp\_ISTMP4.DIR\_ISTMP0.DIR\siwvid.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-08-16 12:43 451872 ----a-w- f:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 14:04 8192 ----a-w- f:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - f:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 17:20]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - f:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 17:20]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1078081533-839522115-1003Core.job
    - f:\documents and settings\Ye Boss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-26 07:56]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1078081533-839522115-1003UA.job
    - f:\documents and settings\Ye Boss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-26 07:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.eset.eu/eset-online-scanner
    IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: En&queue current page with Bulk Image Downloader - file://f:\program files\Bulk Image Downloader\iemenu\iebidqueue.htm
    IE: Enqueue link target with Bulk Ima&ge Downloader - file://f:\program files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
    IE: Open &link target with Bulk Image Downloader - file://f:\program files\Bulk Image Downloader\iemenu\iebidlink.htm
    IE: Open current page with Bulk I&mage Downloader - file://f:\program files\Bulk Image Downloader\iemenu\iebid.htm
    TCP: {0927A573-845C-4B80-9108-9BD2FA005E1D} = 195.74.113.58,195.74.113.62
    TCP: {72049C5E-31B0-4E24-A4F7-527C9EED1463} = 8.8.8.8,8.8.4.4,154.32.109.18,154.32.105.18
    FF - ProfilePath - f:\documents and settings\Ye Boss\Application Data\Mozilla\Firefox\Profiles\b1gs52tz.default\
    FF - prefs.js: browser.search.selectedEngine - Chambers (UK)
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
    FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
    FF - Ext: KeeFox: keefox@chris.tomlinson - %profile%\extensions\keefox@chris.tomlinson
    FF - Ext: MozRepl: mozrepl@hyperstruct.net - %profile%\extensions\mozrepl@hyperstruct.net
    FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
    FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    .
    .
    ------- File Associations -------
    .
    JSEFile=NOTEPAD.EXE %1
    txtfile="f:\program files\NotepadBDV\Notepad.exe" "%1"
    regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-AtiExtEvent - (no file)
    AddRemove-iolo technologies' System Mechanic 5 - f:\progra~1\iolo\SYSTEM~1\UNWISE.EXE
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-12 12:11
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PsSdk30]
    "ImagePath"="\??\f:\windows\system32\Drivers\PsSdk30.drv"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-507921405-1078081533-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D1F7916-093C-00AF-2931-D803D77B6F65}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "namfcaeognkgomlcjcnnmfmhjgil"=hex:6a,61,6d,67,6d,6b,64,65,64,64,6d,67,6e,6f,
    6f,64,70,64,61,67,00,00
    "mageineildajhopnlcmgphfccd"=hex:6a,61,6d,67,6d,6b,64,65,64,64,6d,67,6e,6f,6f,
    64,70,64,61,67,00,00
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3364)
    f:\windows\system32\msi.dll
    f:\windows\system32\wpdshserviceobj.dll
    f:\windows\system32\portabledevicetypes.dll
    f:\windows\system32\portabledeviceapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    f:\windows\system32\savedump.exe
    f:\windows\system32\nvsvc32.exe
    f:\windows\system32\rundll32.exe
    f:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    g:\program files\Nero 8\InCD\InCDsrv.exe
    f:\program files\Java\jre6\bin\jqs.exe
    f:\program files\Common Files\LightScribe\LSSrvc.exe
    f:\windows\System32\PAStiSvc.exe
    f:\windows\system32\WgaTray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-12 12:13:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-12 12:13
    .
    Pre-Run: 121,140,215,808 bytes free
    Post-Run: 120,947,838,976 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
    .
    - - End Of File - - 9E32D6ED1573967D20B8A025E81FA3D3
    ==================== Combofix log ends ================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like all of the scan run in Normal Mode unless I instruct you otherwise. Running in Safe Mode with Network puts you at risk because the security programs don't run.

    Tell me about the multiple drives I see. Mbam shows scans on Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|K:\|)

    You show 2 versions of Prevx as the AV:
    AV: Prevx 2.0 *Disabled/Updated* {557C3342-BC52-4508-AC25-4441BDF5C04C}
    AV: Prevx 3.0 *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D901}


    Before I proceed, tell me if this is your work computer. You have software entries beyond what is usually found on a home PC. There are also multiple drivers that appear not to be in use.

    1. You show entries for the Bulk Image Downloader and I notice that Combofix removed a large number of images.

    2. You are using NuSphere PhpED IDE which is a professional integrated development environment created mostly for building database-driven web-applications using php scripting language, although a lot of other popular languages such as HTML, XML, CSS, Perl, Javascript, Pyt.

    3. You have drivers for SoftICE which is a kernel mode debugger for Microsoft Windows- designed to run underneath Windows such that the operating system is unaware of its presence.

    4. And you are running Symantec Generic Mount Driver Development Edition

    5. And you are also loading uTorrent.

    FYI, the locked computer is most likely caused by one of these conditions:
    This behavior can occur for either of the following reasons:
    • When the default screen saver is set to use a non-existent screen saver program.
    • When you use a corrupted screen saver that is password protected.

    Depending on the exact message, a Registry Edit is required. Instructions are here:
    http://support.microsoft.com/kb/242917
    Note: I do not have those I'm helping do Registry Edits. So if you do this, you do it at your own risk.
     
  5. fopetesl

    fopetesl TS Rookie Topic Starter

    Partitions. Partitions.

    (C:\|D:\|F:\|G:\) are partitions on one hard drive.
    (H:\|I:\|J:\|K:\) were a mirror copy on the other hard drive.
    Both are 640GB WD SATA.
    I left both in the scan so that Mban would scan both. Remember I cannot repair the (H:\|...K:\|) drive.

    Prevx 2.0 was an earlier version of Prevx 3.0.
    Prevx 2.0 doesn't show up in add/remove programs


    It's actually both an office and a home computer though it doesn't move anywhere apart from the office. Where I live broadband is not available and the dial-up speed is unusable.
    I'm a self employed hardware and software engineer for my sins.
    My guess is the redundant drivers are a hangover from earlier motherboards? There have been a few over the years.

    There are four visible partitions since C:\|H:\| & D:\|I:\| are copies of old ATA drives from way back holding information I can access quickly when needed.
    F:\|J:\| partition was the original Win2000/XP partition which became squeezed so I reduced a LINUX partition, (I use LINUX more and more), and created partition G:\|K:\| since I couldn't increase F:\|J:\|.

    Mia culpa. I am guilty of not cleaning up my system(s). Maybe this is the prompt which will get me moving. BID I don't remember having used for quite some time so it should have been removed a long time ago.
    You're talking the system32 images? Why they have been removed I cannot say but it would be of interest to have it explained how image files can pose a threat.

    Indeed you are correct. PHP is part of my remit.

    We used SoftICE a couple of years ago to reverse engineer some MSDOS code which monitored a fabric testing machine of which the designers have long since disappeared. I had thought it had been removed but both you and Skype agree it's still there or at least indications of it. What are these drivers named?

    A complete unknown for me. The last set of drivers I wrote were for Win95

    I/we use this occasionally for downloading. This is bad?
    You link is noted.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I want you to understand this: While each system is unique, I can only go by what I see. If I remove entries, it's because I think-or know-they should be removed. I don't know whether this will affect the other software programs in any way. But I want to make sure to have a Recovery Console on board. All malware cleaning presentss some risks. But the more processes, the more unknown entries, the greater the risk.
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    f:\windows\system32\Drivers\SSPORT.sys
    f:\docume~1\YEBOSS~1\LOCALS~1\Temp\ATICDSDr.sys
    f:\windows\system32\DRIVERS\GenericMount.sys
    f:\windows\system32\PLCMPR5.SYS
    f:\windows\system32\Drivers\PsSdk30.drv
    f:\docume~1\YEBOSS~1\LOCALS~1\Temp\_ISTMP4.DIR\ _ISTMP0.DIR\siwvid.sys
    f:\windows\system32\drivers\hitmanpro35.sys
    Folder::
    f:\documents and settings\All Users\Application Data\Hitman Pro
    RegNull::
    [HKEY_USERS\S-1-5-21-507921405-1078081533-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D1F7916-093C-00AF-2931-D803D77B6F65}*]
    DDS::
    mWinlogon: SFCDisable=-99 (0xffffff9d)
    BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
    BHO: {C6CEAC32-D45C-11D4-94AF-0050BABD5FD6} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
    IE: En&queue current page with Bulk Image Downloader - file://f:\program files\bulk image downloader\iemenu\iebidqueue.htm
    IE: Enqueue link target with Bulk Ima&ge Downloader - file://f:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
    IE: Open &link target with Bulk Image Downloader - file://f:\program files\bulk image downloader\iemenu\iebidlink.htm
    IE: Open current page with Bulk I&mage Downloader - file://f:\program files\bulk image downloader\iemenu\iebid.htm
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    
    Driver::
    SSPORT
    ATICDSDr
    AtiDCM
    GenericMount
    PLCMPR5
    PsSdk30
    SiwvidStart
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    There are two IPs that I cannot ID:
    IP 154.32.105.18> no ID
    IP 154.32.109.18> no ID
    ====================
    Some of the gifs that were removed were related to Windows Antivirus Pro, a rogue program. But but some appear to be programing entries, not malware.
    ======================
    Please remove HitmanPro from the system. It is nothig but a bundle of free programs from the internet, some being used without the permission of the author, that will make you pay to remove a bad entry after the trial period. All of the individual programs are free and fully functional on the internet.
    =======================================
    It appears that both of these may have been disabled:
    1. The System File Checker tool checks if the protected files have been modified. If so, it recovers the original protected files.
    2. Windows File Protection prevents critical Windows system files from being replaced. Programs must not overwrite these files because they are used by the operating system and other programs.
    3. With both features disabled, the Windows protected files can be modified, which could cause problems with the operating system and the installed programs.
     
  7. fopetesl

    fopetesl TS Rookie Topic Starter

    WHOIS shows this:
    Code:
    Base	Record	Name	IP	Reverse	Route	AS
    res1.dns.uk.psi.net	a 	154.32.105.18
    United Kingdom
    	154.32.0.0/16
    PSINet UK Ltd. backbone network
    	AS1290
    TelstraEuropeLtd-Backbone Telstra Europe Ltd Platinum Building, St. John's Innovation Park Cowley Road, Cambridge, CB4 0WS. England
    Does this help?
    AFAIK not my internet supplier.

    Combofix two comments:
    1) See attached picture - Prevx will not "End Process" in Task Manager. All I could do was tell it to stop protection for 15 minutes.
    2) Combofix log:
    =================== Combofix log begins ==============
    ComboFix 11-03-13.01 - Ye Boss 14/03/2011 11:08:49.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1502 [GMT 0:00]
    Running from: f:\documents and settings\Ye Boss\Desktop\ComboFix.exe
    Command switches used :: f:\documents and settings\Ye Boss\Desktop\CFScript.txt
    AV: Prevx 2.0 *Disabled/Updated* {557C3342-BC52-4508-AC25-4441BDF5C04C}
    AV: Prevx 3.0 *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D901}
    .
    FILE ::
    "f:\docume~1\YEBOSS~1\LOCALS~1\Temp\_ISTMP4.DIR\ _ISTMP0.DIR\siwvid.sys"
    "f:\docume~1\YEBOSS~1\LOCALS~1\Temp\ATICDSDr.sys"
    "f:\windows\system32\DRIVERS\GenericMount.sys"
    "f:\windows\system32\drivers\hitmanpro35.sys"
    "f:\windows\system32\Drivers\PsSdk30.drv"
    "f:\windows\system32\Drivers\SSPORT.sys"
    "f:\windows\system32\PLCMPR5.SYS"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    f:\windows\system32\drivers\hitmanpro35.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_ATICDSDR
    -------\Legacy_ATIDCM
    -------\Legacy_PSSDK30
    -------\Legacy_SIWVIDSTART
    -------\Legacy_SSPORT
    -------\Service_ATICDSDr
    -------\Service_AtiDCM
    -------\Service_GenericMount
    -------\Service_PLCMPR5
    -------\Service_PsSdk30
    -------\Service_SiwvidStart
    -------\Service_SSPORT
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-11 11:10 . 2011-03-11 11:10 -------- d-----w- f:\program files\ESET
    2011-03-08 12:37 . 2009-05-22 02:41 114944 ----a-r- f:\windows\system32\drivers\viamraid.sys
    2011-03-08 09:17 . 2011-03-08 09:17 12872 ----a-w- f:\windows\system32\bootdelete.exe
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-26 15:49 . 1999-07-05 10:00 74703 ----a-w- f:\windows\system32\mfc45.dll
    2011-01-15 16:54 . 2011-01-15 16:54 33019 ----a-w- f:\windows\system32\CoreAAC-uninstall.exe
    2011-01-15 15:09 . 2010-04-08 11:01 389120 ----a-w- f:\windows\system32\ACTSKN43.OCX
    2010-12-20 18:09 . 2011-02-07 12:53 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2011-02-07 12:53 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
    .
    .
    ------- Sigcheck -------
    .
    [-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . f:\windows\system32\drivers\tcpip.sys
    [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . f:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    .
    [-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . f:\windows\system32\sfcfiles.dll
    .
    [-] 2007-07-18 . 06ABBA5C28F663DF5C0A59FFB5B765F2 . 42368 . . [5.1.2600.3180] . . f:\windows\system32\drivers\agp440.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-12_12.12.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-14 11:12 . 2011-03-14 11:12 16384 f:\windows\temp\Perflib_Perfdata_2c4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SarbyxTrayClock"="f:\program files\SarbyxTrayClock\trayclock.exe" [2006-10-19 60928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ClocX"="f:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
    "Atomic Time Synchronizer"="g:\program files\AtSync\TimeSync.exe" [2009-03-15 515584]
    "NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
    "KeePass 2 PreLoad"="g:\program files\KeePass Password Safe 2\KeePass.exe" [2010-09-05 1655296]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_2"="shell32" [X]
    "tscuninstall"="f:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
    .
    f:\documents and settings\Ye Boss\Start Menu\Programs\Startup\AutorunsDisabled
    MailWasherPro.lnk - f:\program files\MailWasher\MailWasher.exe [2006-11-16 5661184]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Philips Intelligent Agent"="f:\philips_pbdv1601p_b3.7_upgrade\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SunJavaUpdateSched"="f:\program files\Java\jre1.5.0_09\bin\jusched.exe"
    "TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "f:\\Program Files\\uTorrent\\UTORRENT.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "g:\\Program Files\\AtSync\\TimeSync.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php\\php-cli.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php5\\php-cgi.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php5\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php53\\php-cgi.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php53\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\Srv.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\debugger\\DbgListener.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\phped.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "f:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "f:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
    "8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
    "8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
    "8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
    "8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
    "8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
    "8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
    "8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
    "8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
    "8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
    "5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R0 pxscan;pxscan;f:\windows\system32\drivers\pxscan.sys [21/05/2009 11:45 22024]
    R0 pxsec;pxsec;f:\windows\system32\drivers\pxsec.sys [21/05/2009 11:45 27656]
    R1 Ext2fs;Ext2fs;f:\windows\system32\drivers\ext2fs.sys [30/01/2007 13:08 132736]
    R1 IfsDrives;IfsDrives;f:\windows\system32\drivers\IfsDrives.sys [30/01/2007 13:08 4608]
    R2 AtSync;Atomic Time Synchronizer;g:\program files\AtSync\ats.exe [06/11/2009 15:39 433152]
    R2 CSIScanner;CSIScanner;f:\program files\Prevx\prevx.exe [21/05/2009 11:45 4368952]
    R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;f:\windows\system32\plcndis5.sys [17/05/2004 10:21 17280]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;f:\windows\system32\drivers\atl01_xp.sys [27/01/2007 09:28 35712]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;f:\windows\system32\drivers\nvoclock.sys [15/09/2009 13:59 38248]
    S2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [30/07/2009 17:20 133104]
    S3 Asushwio;Asushwio;f:\windows\system32\drivers\ASUSHWIO.SYS [02/11/2006 15:04 5824]
    S3 NPF;NetGroup Packet Filter Driver;f:\windows\system32\drivers\npf.sys [21/06/2007 19:55 32512]
    S3 PAC207;Trust WB-1200p Mini Webcam;f:\windows\system32\drivers\PFC027.sys [24/02/2005 11:29 162176]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-08-16 12:43 451872 ----a-w- f:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 14:04 8192 ----a-w- f:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - f:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 17:20]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - f:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 17:20]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1078081533-839522115-1003Core.job
    - f:\documents and settings\Ye Boss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-26 07:56]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1078081533-839522115-1003UA.job
    - f:\documents and settings\Ye Boss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-26 07:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.eset.eu/eset-online-scanner
    IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {0927A573-845C-4B80-9108-9BD2FA005E1D} = 195.74.113.58,195.74.113.62
    TCP: {72049C5E-31B0-4E24-A4F7-527C9EED1463} = 8.8.8.8,8.8.4.4,154.32.109.18,154.32.105.18
    FF - ProfilePath - f:\documents and settings\Ye Boss\Application Data\Mozilla\Firefox\Profiles\b1gs52tz.default\
    FF - prefs.js: browser.search.selectedEngine - Chambers (UK)
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
    FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
    FF - Ext: KeeFox: keefox@chris.tomlinson - %profile%\extensions\keefox@chris.tomlinson
    FF - Ext: MozRepl: mozrepl@hyperstruct.net - %profile%\extensions\mozrepl@hyperstruct.net
    FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
    FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-14 11:13
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2436)
    f:\windows\system32\msi.dll
    f:\windows\system32\wpdshserviceobj.dll
    f:\windows\system32\portabledevicetypes.dll
    f:\windows\system32\portabledeviceapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    f:\windows\system32\savedump.exe
    f:\windows\system32\nvsvc32.exe
    f:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    g:\program files\Nero 8\InCD\InCDsrv.exe
    f:\program files\Java\jre6\bin\jqs.exe
    f:\program files\Common Files\LightScribe\LSSrvc.exe
    f:\windows\System32\PAStiSvc.exe
    f:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-14 11:14:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-14 11:14
    ComboFix2.txt 2011-03-12 12:13
    .
    Pre-Run: 120,892,542,976 bytes free
    Post-Run: 120,869,621,760 bytes free
    .
    - - End Of File - - 1F22B31B0830E1BFD7631D74A3E72F85

    =================== Combofix log ends ===============

    Also I had previously uninstalled Hitman from drive C..G but it seems not all of it.
    Have deleted any references to it on both drives.
    Nice suggestion but since I cannot seem to run the faulty drive :( .....

    BTW, Express Talk was an attempt not to use Skype. Can I safely remove the apparent pinholes from my Registry?
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you. The database operators for both ARIN and RIPE must have been out to lunch yesterday! This was all I got:
    WHOIS - 154.32.105.18>> Location: Unknown
    WHOIS - 154.32.109.18>> Location: Unknown

    I'm taking it that you mean "as far as I know" when you use AFIK? Best not to use acronyms.
    ======================================
    I have a question- it comes from only curiosity and isn't malware related: why are you running 3 other time keepers in addition to the clock in the OS?
    "SarbyxTrayClock"> 2006> Sarbyx TrayClock is the replacement for standard Windows clock,
    "ClocX"> 2007>> ClocX is analog clock application for Microsoft Windows 98/ME/NT/2000/XP/2003.
    "Atomic Time Synchronizer"> 2009> Automatically keep your PC's clock in sync to the US government's atomic clock in Boulder, Colo.

    Do you know that all of this can be handled by doing a right click on the clock in the Notification area> Adjust Date/Time
    ========================================
    The message from Combofixc indicates that Prevx v3.0 was still running as indicated in the header:
    Combofix header: AV: Prevx 3.0 *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D901}
    AV is suppose to be disabled before running the scan.>>>>
    Disable Prevx RealTime Protection:
    1. . Right click on the Prevx icon in the system tray at the bottom-right corner of your screen and choose Show Management Console.
    2. . On the Management Console click the Protection Level drop-down menu.
      You will see three levels:
      [o] Maximum
      [o] Off
      [o]User Defined
    3. . To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
    4. . Click the X on the upper right hand corner to exit the Management console
    . After the cleaning is completed, repeat the steps above, setting the level to Maximum in order to re-enable protection.
    ============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    f:\windows\system32\savedump.exe
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_2"=-
    "tscuninstall"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "8000:UDP"=- 
    "8001:UDP"=-
    "8002:UDP"=-
    "8003:UDP"=-
    "8004:UDP"=-
    "8005:UDP"=-
    "8006:UDP"=-
    "8007:UDP"=-
    "8008:UDP"=-
    "8009:UDP"=-
    "5070:UDP"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
    "AllowInboundEchoRequest"=-
    Extra::
    File::
    f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    Firefox::
    Firefox-: - Profile- f:\documents and settings\Ye Boss\Application Data\Mozilla\Firefox\Profiles\b1gs52tz.default\
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Make sure the Java has the most current update: Check Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
     
  9. fopetesl

    fopetesl TS Rookie Topic Starter

    1. First the multiple clocks are something of a throwback again.
      ClocX puts a transparent clock on the screen but doesn't synchronise as far as I know.
      Sarbyx similar situation but it gives more information without clicking.
      The Atomic Time Sync is hopefully just that. No inter-reaction, it just works.

      You must be looking at a different version of Prevx to me. See attached picture. I'll just stop protection temporarily for now.

      ================== Combofix log begins ========================
      ComboFix 11-03-14.07 - Ye Boss 15/03/2011 17:00:23.3.2 - x86
      Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1578 [GMT 0:00]
      Running from: f:\documents and settings\Ye Boss\Desktop\ComboFix.exe
      Command switches used :: f:\documents and settings\Ye Boss\Desktop\CFScript.txt
      AV: Prevx 2.0 *Disabled/Updated* {557C3342-BC52-4508-AC25-4441BDF5C04C}
      AV: Prevx 3.0 *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D901}
      .
      FILE ::
      "f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}"
      "f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
      "f:\windows\system32\savedump.exe"
      .
      .
      ((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
      .
      .
      2011-03-11 11:10 . 2011-03-11 11:10 -------- d-----w- f:\program files\ESET
      2011-03-08 12:37 . 2009-05-22 02:41 114944 ----a-r- f:\windows\system32\drivers\viamraid.sys
      2011-03-08 09:17 . 2011-03-08 09:17 12872 ----a-w- f:\windows\system32\bootdelete.exe
      .
      .
      (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2011-01-26 15:49 . 1999-07-05 10:00 74703 ----a-w- f:\windows\system32\mfc45.dll
      2011-01-15 16:54 . 2011-01-15 16:54 33019 ----a-w- f:\windows\system32\CoreAAC-uninstall.exe
      2011-01-15 15:09 . 2010-04-08 11:01 389120 ----a-w- f:\windows\system32\ACTSKN43.OCX
      2010-12-20 18:09 . 2011-02-07 12:53 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
      2010-12-20 18:08 . 2011-02-07 12:53 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
      .
      .
      ------- Sigcheck -------
      .
      [-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . f:\windows\system32\drivers\tcpip.sys
      [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . f:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
      .
      [-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . f:\windows\system32\sfcfiles.dll
      .
      [-] 2007-07-18 . 06ABBA5C28F663DF5C0A59FFB5B765F2 . 42368 . . [5.1.2600.3180] . . f:\windows\system32\drivers\agp440.sys
      .
      ((((((((((((((((((((((((((((( SnapShot@2011-03-12_12.12.00 )))))))))))))))))))))))))))))))))))))))))
      .
      + 2011-03-15 09:12 . 2011-03-15 09:12 16384 f:\windows\temp\Perflib_Perfdata_324.dat
      .
      ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4
      .
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "SarbyxTrayClock"="f:\program files\SarbyxTrayClock\trayclock.exe" [2006-10-19 60928]
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ClocX"="f:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
      "Atomic Time Synchronizer"="g:\program files\AtSync\TimeSync.exe" [2009-03-15 515584]
      "NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
      "KeePass 2 PreLoad"="g:\program files\KeePass Password Safe 2\KeePass.exe" [2010-09-05 1655296]
      "SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
      .
      f:\documents and settings\Ye Boss\Start Menu\Programs\Startup\AutorunsDisabled
      MailWasherPro.lnk - f:\program files\MailWasher\MailWasher.exe [2006-11-16 5661184]
      .
      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
      "NoSMConfigurePrograms"= 1 (0x1)
      .
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
      @="Driver"
      .
      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
      "Philips Intelligent Agent"="f:\philips_pbdv1601p_b3.7_upgrade\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
      "SunJavaUpdateSched"="f:\program files\Java\jre1.5.0_09\bin\jusched.exe"
      "TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
      .
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
      "EnableFirewall"= 0 (0x0)
      .
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "f:\\Program Files\\uTorrent\\UTORRENT.EXE"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "%windir%\\system32\\sessmgr.exe"=
      "g:\\Program Files\\AtSync\\TimeSync.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\php\\php.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\php\\php-cli.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\php5\\php-cgi.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\php5\\php.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\php53\\php-cgi.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\php53\\php.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\Srv.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\debugger\\DbgListener.exe"=
      "g:\\Program Files\\NuSphere\\PhpED\\phped.exe"=
      "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
      "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
      "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
      "f:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
      "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
      "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
      "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
      "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
      "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
      "f:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
      .
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "67:UDP"= 67:UDP:DHCP Discovery Service
      "8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
      "8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
      "8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
      "8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
      "8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
      "8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
      "8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
      "8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
      "8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
      "8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
      "5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
      .
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
      "AllowInboundEchoRequest"= 1 (0x1)
      .
      R0 pxscan;pxscan;f:\windows\system32\drivers\pxscan.sys [21/05/2009 11:45 22024]
      R0 pxsec;pxsec;f:\windows\system32\drivers\pxsec.sys [21/05/2009 11:45 27656]
      R1 Ext2fs;Ext2fs;f:\windows\system32\drivers\ext2fs.sys [30/01/2007 13:08 132736]
      R1 IfsDrives;IfsDrives;f:\windows\system32\drivers\IfsDrives.sys [30/01/2007 13:08 4608]
      R2 AtSync;Atomic Time Synchronizer;g:\program files\AtSync\ats.exe [06/11/2009 15:39 433152]
      R2 CSIScanner;CSIScanner;f:\program files\Prevx\prevx.exe [21/05/2009 11:45 4368952]
      R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;f:\windows\system32\plcndis5.sys [17/05/2004 10:21 17280]
      R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;f:\windows\system32\drivers\atl01_xp.sys [27/01/2007 09:28 35712]
      R3 nvoclock;NVIDIA Enthusiasts Platform KDM;f:\windows\system32\drivers\nvoclock.sys [15/09/2009 13:59 38248]
      S2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [30/07/2009 17:20 133104]
      S3 Asushwio;Asushwio;f:\windows\system32\drivers\ASUSHWIO.SYS [02/11/2006 15:04 5824]
      S3 NPF;NetGroup Packet Filter Driver;f:\windows\system32\drivers\npf.sys [21/06/2007 19:55 32512]
      S3 PAC207;Trust WB-1200p Mini Webcam;f:\windows\system32\drivers\PFC027.sys [24/02/2005 11:29 162176]
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
      hpdevmgmt REG_MULTI_SZ hpqcxs08
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
      2010-08-16 12:43 451872 ----a-w- f:\program files\Common Files\LightScribe\LSRunOnce.exe
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
      2008-06-18 14:04 8192 ----a-w- f:\program files\PixiePack Codec Pack\InstallerHelper.exe
      .
      Contents of the 'Scheduled Tasks' folder
      .
      2011-03-12 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
      - f:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 17:20]
      .
      2011-03-12 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
      - f:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 17:20]
      .
      2011-03-12 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1078081533-839522115-1003Core.job
      - f:\documents and settings\Ye Boss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-26 07:56]
      .
      2011-03-12 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1078081533-839522115-1003UA.job
      - f:\documents and settings\Ye Boss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-26 07:56]
      .
      .
      ------- Supplementary Scan -------
      .
      uStart Page = hxxp://www.eset.eu/eset-online-scanner
      IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
      TCP: {0927A573-845C-4B80-9108-9BD2FA005E1D} = 195.74.113.58,195.74.113.62
      TCP: {72049C5E-31B0-4E24-A4F7-527C9EED1463} = 8.8.8.8,8.8.4.4,154.32.109.18,154.32.105.18
      FF - ProfilePath - f:\documents and settings\Ye Boss\Application Data\Mozilla\Firefox\Profiles\b1gs52tz.default\
      FF - prefs.js: browser.search.selectedEngine - Chambers (UK)
      FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
      FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
      FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\Java\jre6\lib\deploy\jqs\ff
      FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
      FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
      FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
      FF - Ext: KeeFox: keefox@chris.tomlinson - %profile%\extensions\keefox@chris.tomlinson
      FF - Ext: MozRepl: mozrepl@hyperstruct.net - %profile%\extensions\mozrepl@hyperstruct.net
      FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
      FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
      FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
      FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
      .
      .
      ------- File Associations -------
      .
      JSEFile=NOTEPAD.EXE %1
      txtfile="f:\program files\NotepadBDV\Notepad.exe" "%1"
      regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
      .
      .
      **************************************************************************
      .
      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2011-03-15 17:03
      Windows 5.1.2600 Service Pack 3 NTFS
      .
      scanning hidden processes ...
      .
      scanning hidden autostart entries ...
      .
      scanning hidden files ...
      .
      scan completed successfully
      hidden files: 0
      .
      **************************************************************************
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------
      .
      - - - - - - - > 'explorer.exe'(1344)
      f:\windows\system32\msi.dll
      f:\windows\system32\wpdshserviceobj.dll
      f:\windows\system32\portabledevicetypes.dll
      f:\windows\system32\portabledeviceapi.dll
      .
      Completion time: 2011-03-15 17:04:11
      ComboFix-quarantined-files.txt 2011-03-15 17:04
      ComboFix2.txt 2011-03-12 12:13
      .
      Pre-Run: 120,914,960,384 bytes free
      Post-Run: 120,890,683,392 bytes free
      .
      - - End Of File - - DDD426DE3F7CA76C7AC16E3DC8FFB062

      ================== Combofix log ends =========================

      I had three(?) Java installers:
      J2SE Runtime Environment 5.0 Update 5 (I didn't note this update) uninstalled.
      J2SE Runtime Environment 5.0 Update 9 left installed
      Java(TM) 6 Update 17 left installed.
      I don't know Java so I'm unsure as to which one(s) you wish removed.
     

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please don't take up space quoting everything I ask or ask you to do! I get all the logs in my email feedback! I know what I said and can always refer to my post if needed, but I go back through all these logs and honestly, it's makes the thread to d... log if you quot me too!

    I'll be back a little later to go over the log.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you ever run the Eset scan? Log?

    Hey, if you want all those clocks, no problem.
    As for Java, the most current version in v6u24. You should uninstall all Java and JRE that are not this version; Update here> http://www.java.com/en/download/index.jsp
    There are also links on the page for information about Java. The versions that are outdated are vulnerabilities on the system. Unfortunately, new update don't overwrite the previous versions, so you must go to Add/Remove Programs and do the uninstall.
    ========================================
    I see that the Prevx screen is slightly different. IF you click on the Self Protection in the main Window, you should be able to check to turn if off. You may also be able to do the same in the small Window for "Edge Protection Active" open, just click on the Setting Off
    ==========================================
    Please clarify me on these entries. "AFAIK not my internet supplier."
    http://www.userland.com/whatIsAfaik
    http://geekdictionary.computing.net/define/afaik
    TCP: {0927A573-845C-4B80-9108-9BD2FA005E1D} = 195.74.113.58,195.74.113.62
    TCP: {72049C5E-31B0-4E24-A4F7-527C9EED1463} = 8.8.8.8,8.8.4.4,154.32.109.18,154.32.105.18nd what I found may have been for that.
    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Extra::
    File::
    f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    Firefox::
    Firefox-: - Profile -f:\documents and settings\Ye Boss\Application Data\Mozilla\Firefox\Profiles\b1gs52tz.default\
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "67:UDP"=- 
    "8000:UDP"=-
    "8001:UDP"=-
    "8002:UDP"=-
    "8003:UDP"=-
    "8004:UDP"=-
    "8005:UDP"=-
    "8006:UDP"=-
    "8007:UDP"=-
    "8008:UDP"=-
    "8009:UDP"=-
    "5070:UDP"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
    "AllowInboundEchoRequest"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  12. fopetesl

    fopetesl TS Rookie Topic Starter

    Hmmm..

    ESET wouldn't run last week. Recall? Today it ran, all four+ hours of it...
    Log ...

    D:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.A trojan
    F:\Documents and Settings\Ye Boss\Desktop\GooredFix Backups\F\Documents and Settings\Ye Boss\Local Settings\Application Data\{1F5B180C-259E-4F28-AFD8-DD460CA584BA}\chrome\content\overlay.xul JS/Gord.A trojan
    F:\WINDOWS\serial.dll Win32/Spy.Delf.JQ trojan
    G:\Downloads\sensorsview-pro-4.1-build-40617.exe a variant of Win32/Sefnit.AD trojan
    I:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.A trojan
    J:\Downloads\sensorsview-pro-4.1-build-40617.exe a variant of Win32/Sefnit.AD trojan
    K:\Documents and Settings\All Users\Application Data\28765.exe a variant of Win32/Kryptik.LLN trojan
    K:\Documents and Settings\All Users\Application Data\KDfipsQcxuWorYT.dll a variant of Win32/TrojanDownloader.Prodatect.BJ trojan
    K:\Documents and Settings\Ye Boss\Application Data\WMPRWISE.EXE probably a variant of Win32/Injector.FAF trojan
    K:\Documents and Settings\Ye Boss\Desktop\GooredFix Backups\F\Documents and Settings\Ye Boss\Local Settings\Application Data\{1F5B180C-259E-4F28-AFD8-DD460CA584BA}\chrome\content\overlay.xul JS/Gord.A trojan
    K:\Documents and Settings\Ye Boss\Local Settings\Temp\98.tmp probably a variant of Win32/Injector.FAF trojan
    K:\Documents and Settings\Ye Boss\Local Settings\Temporary Internet Files\Content.IE5\F6V58TZI\load[3].htm a variant of Win32/Kryptik.LPK trojan
    L:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.A trojan
    M:\Downloads\sensorsview-pro-4.1-build-40617.exe a variant of Win32/Sefnit.AD trojan
    ===============================================================
    Smacks of " I'd better find something or they'll think the software isn't up to the job"?
    A la Spybot.

    The IP addresses you name are all DNA servers _EXCEPT_
    http://whois.domaintools.com/154.32.109.18
    of which I know nothing.

    My current Java situation is as per attached picture.


    Combofix log.....................
    =================================================================
    2010-12-20 18:08 . 2011-02-07 12:53 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
    .
    .
    ------- Sigcheck -------
    .
    [-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . f:\windows\system32\drivers\tcpip.sys
    [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . f:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    .
    [-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . f:\windows\system32\sfcfiles.dll
    .
    [-] 2007-07-18 . 06ABBA5C28F663DF5C0A59FFB5B765F2 . 42368 . . [5.1.2600.3180] . . f:\windows\system32\drivers\agp440.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-12_12.12.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-17 09:26 . 2011-03-17 09:26 16384 f:\windows\temp\Perflib_Perfdata_334.dat
    + 2011-03-16 08:45 . 2011-02-02 21:40 157472 f:\windows\system32\javaws.exe
    + 2011-03-16 08:45 . 2011-02-02 21:40 145184 f:\windows\system32\javaw.exe
    - 2006-11-14 11:24 . 2009-10-11 04:17 145184 f:\windows\system32\javaw.exe
    + 2011-03-16 08:45 . 2011-02-02 21:40 145184 f:\windows\system32\java.exe
    - 2006-11-14 11:24 . 2009-10-11 04:17 145184 f:\windows\system32\java.exe
    + 2011-03-16 08:45 . 2011-03-16 08:45 180224 f:\windows\Installer\69b60.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SarbyxTrayClock"="f:\program files\SarbyxTrayClock\trayclock.exe" [2006-10-19 60928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ClocX"="f:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
    "Atomic Time Synchronizer"="g:\program files\AtSync\TimeSync.exe" [2009-03-15 515584]
    "NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
    "KeePass 2 PreLoad"="g:\program files\KeePass Password Safe 2\KeePass.exe" [2010-09-05 1655296]
    "SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    f:\documents and settings\Ye Boss\Start Menu\Programs\Startup\AutorunsDisabled
    MailWasherPro.lnk - f:\program files\MailWasher\MailWasher.exe [2006-11-16 5661184]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Philips Intelligent Agent"="f:\philips_pbdv1601p_b3.7_upgrade\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SunJavaUpdateSched"="f:\program files\Java\jre1.5.0_09\bin\jusched.exe"
    "TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "f:\\Program Files\\uTorrent\\UTORRENT.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "g:\\Program Files\\AtSync\\TimeSync.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php\\php-cli.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php5\\php-cgi.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php5\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php53\\php-cgi.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\php53\\php.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\Srv.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\debugger\\DbgListener.exe"=
    "g:\\Program Files\\NuSphere\\PhpED\\phped.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "f:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "f:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
    "8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
    "8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
    "8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
    "8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
    "8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
    "8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
    "8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
    "8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
    "8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
    "5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R0 pxscan;pxscan;f:\windows\system32\drivers\pxscan.sys [21/05/2009 11:45 22024]
    R0 pxsec;pxsec;f:\windows\system32\drivers\pxsec.sys [21/05/2009 11:45 27656]
    R1 Ext2fs;Ext2fs;f:\windows\system32\drivers\ext2fs.sys [30/01/2007 13:08 132736]
    R1 IfsDrives;IfsDrives;f:\windows\system32\drivers\IfsDrives.sys [30/01/2007 13:08 4608]
    R2 AtSync;Atomic Time Synchronizer;g:\program files\AtSync\ats.exe [06/11/2009 15:39 433152]
    R2 CSIScanner;CSIScanner;f:\program files\Prevx\prevx.exe [21/05/2009 11:45 4368952]
    R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;f:\windows\system32\plcndis5.sys [17/05/2004 10:21 17280]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;f:\windows\system32\drivers\atl01_xp.sys [27/01/2007 09:28 35712]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;f:\windows\system32\drivers\nvoclock.sys [15/09/2009 13:59 38248]
    S2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [30/07/2009 17:20 133104]
    S3 Asushwio;Asushwio;f:\windows\system32\drivers\ASUSHWIO.SYS [02/11/2006 15:04 5824]
    S3 NPF;NetGroup Packet Filter Driver;f:\windows\system32\drivers\npf.sys [21/06/2007 19:55 32512]
    S3 PAC207;Trust WB-1200p Mini Webcam;f:\windows\system32\drivers\PFC027.sys [24/02/2005 11:29 162176]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-08-16 12:43 451872 ----a-w- f:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 14:04 8192 ----a-w- f:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - f:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 17:20]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - f:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 17:20]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1078081533-839522115-1003Core.job
    - f:\documents and settings\Ye Boss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-26 07:56]
    .
    2011-03-12 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1078081533-839522115-1003UA.job
    - f:\documents and settings\Ye Boss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-26 07:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.eset.eu/eset-online-scanner
    IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {0927A573-845C-4B80-9108-9BD2FA005E1D} = 195.74.113.58,195.74.113.62
    TCP: {72049C5E-31B0-4E24-A4F7-527C9EED1463} = 8.8.8.8,8.8.4.4,154.32.109.18,154.32.105.18
    FF - ProfilePath - f:\documents and settings\Ye Boss\Application Data\Mozilla\Firefox\Profiles\b1gs52tz.default\
    FF - prefs.js: browser.search.selectedEngine - Chambers (UK)
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
    FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
    FF - Ext: KeeFox: keefox@chris.tomlinson - %profile%\extensions\keefox@chris.tomlinson
    FF - Ext: MozRepl: mozrepl@hyperstruct.net - %profile%\extensions\mozrepl@hyperstruct.net
    FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
    FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    .
    .
    ------- File Associations -------
    .
    JSEFile=NOTEPAD.EXE %1
    txtfile="f:\program files\NotepadBDV\Notepad.exe" "%1"
    regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-17 14:12
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(272)
    f:\windows\system32\msi.dll
    f:\windows\system32\wpdshserviceobj.dll
    f:\windows\system32\portabledevicetypes.dll
    f:\windows\system32\portabledeviceapi.dll
    .
    Completion time: 2011-03-17 14:14:00
    ComboFix-quarantined-files.txt 2011-03-17 14:13
    ComboFix2.txt 2011-03-12 12:13
    .
    Pre-Run: 120,805,208,064 bytes free
    Post-Run: 120,781,541,376 bytes free
    .
    - - End Of File - - 9BE6A9385E435873BDBB717D6E2BC2E1
     

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Go ahead and run this for the Eset entries while I finish checking Combofix. I am also putting together some information about the Eset entries FYI:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      D:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.
      F:\Documents and Settings\Ye Boss\Desktop\GooredFix Backups\F\Documents and Settings\Ye Boss\Local Settings\Application Data\{1F5B180C-259E-4F28-AFD8-DD460CA584BA}\chrome\content\overlay.xul 
      F:\WINDOWS\serial.dll 
      G:\Downloads\sensorsview-pro-4.1-build-40617.exe 
      I:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.
      J:\Downloads\sensorsview-pro-4.1-build-40617.exe 
      K:\Documents and Settings\All Users\Application Data\28765.exe 
      K:\Documents and Settings\All Users\Application Data\KDfipsQcxuWorYT.dll 
      K:\Documents and Settings\Ye Boss\Application Data\WMPRWISE.EXE 
      K:\Documents and Settings\Ye Boss\Desktop\GooredFix Backups\F\Documents and Settings\Ye Boss\Local Settings\Application Data\{1F5B180C-259E-4F28-AFD8-DD460CA584BA}\chrome\content\overlay.xul JS/Gord.
      K:\Documents and Settings\Ye Boss\Local Settings\Temp\98.tmp 
      K:\Documents and Settings\Ye Boss\Local Settings\Temporary Internet Files\Content.IE5\F6V58TZI\load[3].htm 
      L:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.
      M:\Downloads\sensorsview-pro-4.1-build-40617.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    Remove JREv5u9
    =========================================
    Re Previx. On the first image, the small Window has 'Sefl protection off.' See if you can click on that to disable it.
    ===========================================
    Please give me the rest of the Combofix log:
    From this> ComboFix 11-03-14.07 - Ye Boss 15/03/2011 17:00:23.3.2 - x86 to include the full header.
    Followed by FILE :: section
    Followed by "Other Deletions" if any
    Followed by "Drivers/Services" if any
    Followed by Files Created...............
    Followed by "Find 3M Report
    Up to Sigcheck
    Each to include all entries:



    .
     
  14. fopetesl

    fopetesl TS Rookie Topic Starter

    OTmoveIT Log: =============================================
    All processes killed
    Error: Unable to interpret <D:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.> in the current context!
    Error: Unable to interpret <F:\Documents and Settings\Ye Boss\Desktop\GooredFix Backups\F\Documents and Settings\Ye Boss\Local Settings\Application Data\{1F5B180C-259E-4F28-AFD8-DD460CA584BA}\chrome\content\overlay.xul > in the current context!
    Error: Unable to interpret <F:\WINDOWS\serial.dll > in the current context!
    Error: Unable to interpret <G:\Downloads\sensorsview-pro-4.1-build-40617.exe > in the current context!
    Error: Unable to interpret <I:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.> in the current context!
    Error: Unable to interpret <J:\Downloads\sensorsview-pro-4.1-build-40617.exe > in the current context!
    Error: Unable to interpret <K:\Documents and Settings\All Users\Application Data\28765.exe > in the current context!
    Error: Unable to interpret <K:\Documents and Settings\All Users\Application Data\KDfipsQcxuWorYT.dll > in the current context!
    Error: Unable to interpret <K:\Documents and Settings\Ye Boss\Application Data\WMPRWISE.EXE > in the current context!
    Error: Unable to interpret <K:\Documents and Settings\Ye Boss\Desktop\GooredFix Backups\F\Documents and Settings\Ye Boss\Local Settings\Application Data\{1F5B180C-259E-4F28-AFD8-DD460CA584BA}\chrome\content\overlay.xul JS/Gord.> in the current context!
    Error: Unable to interpret <K:\Documents and Settings\Ye Boss\Local Settings\Temp\98.tmp > in the current context!
    Error: Unable to interpret <K:\Documents and Settings\Ye Boss\Local Settings\Temporary Internet Files\Content.IE5\F6V58TZI\load[3].htm > in the current context!
    Error: Unable to interpret <L:\Program Files\Evrsoft\1st Page 2000\IScripts\Buttons\Six buttons from hell.izs JS/SixButtons.> in the current context!
    Error: Unable to interpret <M:\Downloads\sensorsview-pro-4.1-build-40617.exe > in the current context!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Ye Boss
    ->Temp folder emptied: 1396 bytes
    ->Temporary Internet Files folder emptied: 111826 bytes
    ->Java cache emptied: 7140 bytes
    ->FireFox cache emptied: 91994897 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 2994 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 24 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 88.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03182011_084307

    Files moved on Reboot...
    File move failed. F:\WINDOWS\S2E02028F.tmp scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    ========= OTmoveIT Log ends ==================================

    Remove JREv5u9 - done.

    Re Previx. On the first image, the small Window has 'Sefl protection off.' See if you can click on that to disable it. ,,, must be looking at different images ,,, all I have is "Minimum ... Maximum" No OFF option.

    Combofix re-request:

    ComboFix 11-03-14.07 - Ye Boss 15/03/2011 17:00:23.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1578 [GMT 0:00]
    Running from: f:\documents and settings\Ye Boss\Desktop\ComboFix.exe
    Command switches used :: f:\documents and settings\Ye Boss\Desktop\CFScript.txt
    AV: Prevx 2.0 *Disabled/Updated* {557C3342-BC52-4508-AC25-4441BDF5C04C}
    AV: Prevx 3.0 *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D901}
    .
    FILE ::
    "f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}"
    "f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
    "f:\windows\system32\savedump.exe"
    .
    None of these:
    Followed by FILE :: section
    Followed by "Other Deletions" if any
    Followed by "Drivers/Services" if any


    ((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-11 11:10 . 2011-03-11 11:10 -------- d-----w- f:\program files\ESET
    2011-03-08 12:37 . 2009-05-22 02:41 114944 ----a-r- f:\windows\system32\drivers\viamraid.sys
    2011-03-08 09:17 . 2011-03-08 09:17 12872 ----a-w- f:\windows\system32\bootdelete.exe

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-26 15:49 . 1999-07-05 10:00 74703 ----a-w- f:\windows\system32\mfc45.dll
    2011-01-15 16:54 . 2011-01-15 16:54 33019 ----a-w- f:\windows\system32\CoreAAC-uninstall.exe
    2011-01-15 15:09 . 2010-04-08 11:01 389120 ----a-w- f:\windows\system32\ACTSKN43.OCX
    2010-12-20 18:09 . 2011-02-07 12:53 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2011-02-07 12:53 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
    .
    .
    ------- Sigcheck -------
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, I don't think the problem was OTM.
    Okay, I have some of the mirrors figured out, but you have an entry on Drive L and Drive M- where is that?
    =========================================
    You have infected files on both of the drives. Is there some way you can handle the 'mirror' or the backup like you would a flash drive and disinfect it separately with Flash Drive Disinfector?

    What is going to confused the issue more is that you want to treat the hard drives separately but you scanned everything!

    Also, you need to go through the system and uninstall/clean up what you no longer use (like Express Talk) And I've also closed the Express Talk ports twice and they're still open! If you still have it installed, you need to uninstall it, find and delete the program folder in Windows Explorer, then make sure the ports are closed in the firewall.

    If a man with a suit and tie stands in front of a mirror and sees a spot on his tie, he can only remove the spot from the tie itself, not the one in the mirror. But computers aren't like the man in the mirror with a spot on his tie! In a computer, the 'mirror' can also have the same spot since the file was copied from the original.
     
  16. fopetesl

    fopetesl TS Rookie Topic Starter

    Viruses. Hah!

    Now I'm suffering with a different type of virus ... influenza. :dead:

    Drive L and Drive M : I've been struggling with these for some time now. They seem to be a 'ghost' of Drives D and G. i.e. if I write to Drive G then the information also gets 'written' to Drive M.
    Without the second real drive in place I get a complete 'ghost' of the one physical drive.
    I cannot find any way to remove them.
    Have tried a Repair, Googling ad nauseum without any success.

    Did you mean this Flash Dive Disinfector? http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

    I can find no other trace of Express Talk files/directories.
    So I edited the registry and manually removed the Express Talk ports..
    To check if something else is resurrecting them I reboot: and the Express Talk ports are not there.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm sorry to hear you have the flu. None of it's good, but I hope it's a more common variety that the HiNi flu from a couple of years ago- a few of out members had that and were sick for a while.

    Okay, your system> a near as I can figure, the mirror drive, the backups, backed up infected files. I don't know how you can keep track of so many drives and partitions! And with Drives L and M, it sound like you can't!

    I am also puzzled about the IP/ It appears that two legitimate ISPs are involved:
    Then there is this range:
    Mauritus is an island off the East Coast of Africa. It claims the Chagos Archipelago (UK-administered British Indian Ocean Territory), and its former inhabitants, who reside chiefly in Mauritius; claims French-administered Tromelin Island. It is a consumer and transshipment point for heroin from South Asia.

    Despite this long and interesting history, I don't know if it belongs on your system. There is Great Britain, California and Africa involved on your system. You tell me "AFAIK not my internet supplier." although you did not define AFAIF.

    Between that and the multiple rives/partitions and backups: (C:\|D:\|F:\|G:\|H:\|I:\|J:\|K:\|) and now 2 more 'somethings' added in L and M, plus many uncommon programs and old programs you don't use anymore, I think I am being used to clean up a convoluted, badly maintained system.

    So here's what you need to do:
    1. Uninstall all the programs and apps you don't use.
    2. Update anything that needs updating.
    3. Run TFC and empty the Recycle Bin.
    4. Run Error check, disc cleanup, defrag and your security scans.
    5. Clean any movable drives.

    When that has been done, come back here and we'll start over. You have backed up or 'mirrored' infected files- you need to figure out how to clean that up.

    It may come down ro you're getting hands on help- either remotely or in a shop.
     
  18. fopetesl

    fopetesl TS Rookie Topic Starter

    I thought we'd already sorted some of these?
    For instance you said
    195.74.113.62 & 8.8.8.8 & 8.8.4.4 are Domain Name Servers.

    Where this one
    comes from I have no idea. I did a few traceroutes and it didn't show up.

    Without the second "backup" drive plugged in I still see drives L & M.

    You didn't bother to answer the question
    Code:
    Did you mean this Flash Dive Disinfector? http://download.bleepingcomputer.com...isinfector.exe
    No longer important then I guess.

    The other advice seems sound however I note your comment
    I take it you are talking $$$ here? Why did I wonder when it would get to that.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It would appear that you are impatient with me. By the way, my internet went down last night-again and has only been up today for a couple of hours.

    Now, to address your issues:
    IT takes more time for me to explain something to you than it does for me to tell you about it originally> so I forgot to address the Flash Disinfection. It wasn't a matter of not bothering.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    No I didn't remember, although I usually try to go back and review all the logs when I reply! As far as I understand, you are running the scans on all the drives, partitions, mirrors, backups. Yes, the scans will take longer.

    Regarding Prevx: I don't make up what I type If I quote an entry, it means I see it. And you had both Prevx 2 and Prevx 3 in the Combofix header.

    Regarding this:
    You have so customized the system with the multiple drives, partitions, backups, etc. that it is not sufficient to try and clean the system without some kind of remote access. Whether you choose to do this or not, it is your choice.

    Regarding the TCP Name Servers:
    I tried to verify the IPs because the second entry that I have underlined indicates all 3 IPs, including 8.8.8.8,8.8.4.4 are somehow connecting to 154.32.109.18,154.32.105.18

    Since you have found so much fault with the help I have been trying to give you, I will withdraw my support. It does not appear there will be any progress.

    I hope you feel better.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...