|
-
August 21st, 2010, 06:40 PM
#16
I still need you to follow my post #13.
-
August 22nd, 2010, 09:15 AM
#17
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Buddy77 on 08/22/2010 at 9:13:13.
Processes terminated by Rkill or while it was running:
C:\Users\Buddy77\Downloads\rkill(2).com
Rkill completed on 08/22/2010 at 9:13:16.
-
August 22nd, 2010, 09:15 AM
#18
exeHelper by Raktor
Build 20100414
Run at 09:14:22 on 08/22/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
-
August 22nd, 2010, 09:53 AM
#19
200000 characters long for the combofix, wont let me do it.
-
August 22nd, 2010, 12:44 PM
#20
Upload the file(s) here: http://uploadmb.com/
Post download link (Direct Link).
-
August 22nd, 2010, 11:21 PM
#21
-
August 22nd, 2010, 11:25 PM
#22
OK, this is 2nd Combofix run, which I'll paste into my reply ( I'm not sure, why you couldn't), but I'll need to see ComboFix2.txt file, which you can find in C:\Qoobox folder.
ComboFix 10-08-21.06 - Buddy77 08/22/2010 23:06:38.3.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1918.1092 [GMT -4:00]
Running from: c:\users\Buddy77\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.
2010-08-23 03:12 . 2010-08-23 03:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-23 03:12 . 2010-08-23 03:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-19 02:20 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-19 02:20 . 2010-08-19 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-19 02:20 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 14:04 . 2009-10-29 11:15 121344 ----a-w- c:\programdata\HP\Installer\Temp\hpqrrx08.exe
2010-08-15 03:10 . 2010-08-15 03:10 2826192 ----a-w- c:\users\Buddy77\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-08-11 20:54 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 00:02 . 2010-06-18 23:48 -------- d-----w- c:\program files\EE Full
2010-08-17 14:07 . 2009-01-25 07:57 72440 ----a-w- c:\users\Buddy77\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-17 14:04 . 2007-08-31 11:53 -------- d-----w- c:\programdata\HP
2010-08-17 13:52 . 2009-09-05 01:40 -------- d-----w- c:\programdata\avg8
2010-08-17 13:21 . 2009-09-11 00:48 0 ----a-w- c:\users\Buddy77\AppData\Local\prvlcl.dat
2010-08-15 21:10 . 2010-04-17 19:35 -------- d-----w- c:\users\Buddy77\AppData\Roaming\HpUpdate
2010-08-15 17:45 . 2010-06-09 13:11 -------- d-----w- c:\program files\LimeWire
2010-08-13 14:34 . 2009-04-01 16:42 -------- d-----w- c:\users\Buddy77\AppData\Roaming\Vso
2010-08-12 12:53 . 2007-08-31 12:08 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-12 07:02 . 2009-01-25 08:25 -------- d-----w- c:\programdata\Microsoft Help
2010-08-12 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-09 13:35 . 2009-01-25 08:28 -------- d-----w- c:\program files\Microsoft.NET
2010-08-06 11:16 . 2009-06-25 21:10 -------- d-----w- c:\users\Buddy77\AppData\Roaming\uTorrent
2010-08-01 02:10 . 2007-08-31 11:41 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-07-18 17:54 . 2010-07-18 17:54 -------- d-----w- c:\program files\RealArcade
2010-06-26 06:05 . 2010-08-11 20:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-11 20:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-11 20:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-11 20:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-11 20:55 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-11 20:55 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-11 20:55 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-11 20:55 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-11 16:16 . 2010-08-11 20:55 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-11 20:55 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-10 01:40 . 2010-06-10 01:40 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\18343\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\18343\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\18343\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\18343\AcrobatUpdater.exe
2010-06-08 17:35 . 2010-08-11 20:55 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-11 20:55 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-05-27 20:08 . 2010-08-11 20:55 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-05-26 17:06 . 2010-06-11 20:42 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 20:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2007-08-31 12:18 . 2007-08-31 12:12 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((( SnapShot_2010-08-22_13.33.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-25 07:51 . 2010-08-22 01:14 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-25 07:51 . 2010-08-22 13:19 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-03-18 17:09 . 2010-08-22 01:14 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-18 17:09 . 2010-08-22 13:19 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-25 07:51 . 2010-08-22 01:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-25 07:51 . 2010-08-22 13:19 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-01 21:39 . 2010-08-18 12:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-01 21:39 . 2010-08-22 13:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-01 21:39 . 2010-08-22 13:19 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-01 21:39 . 2010-08-18 12:54 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-01 21:39 . 2010-08-22 13:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-01 21:39 . 2010-08-18 12:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-06 13:20 . 2010-08-23 01:14 327576 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-31 149280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
c:\users\Buddy77\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):66,c9,19,20,85,5c,ca,01
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 rt70x86;%WUSB54Gv4.Service.DispName%;c:\windows\system32\DRIVERS\netr70.sys [2006-12-29 243200]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-02-26 717296]
S1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\DRIVERS\StarPortLite.sys [2008-08-20 93544]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
S3 WUSB54GSCv2.NTx86;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2_X86.sys [2008-01-08 238072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Buddy77\AppData\Roaming\Mozilla\Firefox\Profiles\41w5uuib.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 23:12
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-22 23:15:49
ComboFix-quarantined-files.txt 2010-08-23 03:15
ComboFix2.txt 2010-08-22 13:36
ComboFix3.txt 2010-03-18 03:13
Pre-Run: 52,588,199,936 bytes free
Post-Run: 52,566,523,904 bytes free
- - End Of File - - 8A7359430A7B11BDC79F46DA1C0A11FA
-
August 23rd, 2010, 10:16 AM
#23
"The text that you have entered is too long (235650 characters). Please shorten it to 20000 characters long."
-
August 23rd, 2010, 10:17 AM
#24
-
August 23rd, 2010, 01:33 PM
#25
In cases like that, you should split the log through couple of posts.
It'd save me some time 
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
=================================================================
Now, you don't have any active AV program running.
Download and install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1...antivirus.html
Run full scan. Report on any findings.
Make sure, your Windows firewall is ON.
===============================================================
Download MBRCheck to your desktop
Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
