Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #16  
Old September 13th, 2009, 03:09 AM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
Reply With Quote
  #17  
Old September 13th, 2009, 11:02 PM
peejay peejay is offline
Senior Member
 
Join Date: Mar 2004
Posts: 102
Update: I left my pc off for about 30 minutes today. It's now running better but I think there's still some cleaning up to do.
When opening a folder of pictures, the thumbnails do not all load. Again, this is something fairly recent.
Thanks again.
Reply With Quote
  #18  
Old September 13th, 2009, 11:32 PM
peejay peejay is offline
Senior Member
 
Join Date: Mar 2004
Posts: 102
Just found your last reply - hadn;t seen that this went to Page 2!
Here is the MBAM log:-
Malwarebytes' Anti-Malware 1.41
Database version: 2793
Windows 5.1.2600 Service Pack 3

13/09/2009 23:30:24
mbam-log-2009-09-13 (23-30-24).txt

Scan type: Quick Scan
Objects scanned: 102028
Time elapsed: 11 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Reply With Quote
  #19  
Old September 15th, 2009, 10:50 AM
peejay peejay is offline
Senior Member
 
Join Date: Mar 2004
Posts: 102
Things seemed to have improvvd but then, last night. the internet connection crashed and it took me several attempts to get it up and running again.
Even with no programs open, the CPU was up and down to 100%!!
What can be causing this?
Surely there is something using up all the memory?
Thanks again
Paul
Reply With Quote
  #20  
Old September 15th, 2009, 11:53 AM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
When you see that the CPU usage is high - see what process is using it all.

Go here and download RootRepeal to your Desktop. Doubleclick to extract the compressed file to it's own folder and then doubleclick on RootRepeal.exe to run it. Click on the Report tab and then click on Scan. A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.
Reply With Quote
  #21  
Old September 15th, 2009, 07:03 PM
peejay peejay is offline
Senior Member
 
Join Date: Mar 2004
Posts: 102
Well, I hope I did this correctly. Here's the REPORT LOG:-

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/15 18:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB83CD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE04000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAF413000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xBA653000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89f91bf0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a007ef8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ec3758

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x89f90ef8

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89fd7b18

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb8803130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89fb0bb0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x89d5b1e8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89f18f68

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x89f58558

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb88033b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb8803910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8a04d548

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89e36e80

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89f4c188

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x89eb2620

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x89e59690

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89e3bd10

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89fc91c8

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89e610f0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89fc55c0

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x89f6c1e8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8a04d618

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a026e28

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a040ef8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89f542c0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89e9fc80

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x89f85de0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb8803b60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89ff61e8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89f21ef8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89fade10

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89f2f5d0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a004990

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ec3688

==EOF==

I also ran separate scans. Here is the log for PROCESSES (Let me know if you require others to be posted):-

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/15 18:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 232 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 344 Status: -

Path: C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PID: 400 Status: -

Path: C:\Program Files\CyberLink\Shared Files\RichVideo.exe
PID: 476 Status: -

Path: C:\WINDOWS\system32\VTTrayp.exe
PID: 496 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 520 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 748 Status: -

Path: C:\Program Files\Common Files\AOL\1132534367\ee\aolsoftware.exe
PID: 756 Status: -

Path: C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PID: 832 Status: -

Path: C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PID: 900 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 948 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 1004 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 1064 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 1088 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 1132 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 1144 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1264 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1300 Status: -

Path: C:\Program Files\Kontiki\KService.exe
PID: 1332 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1384 Status: -

Path: C:\WINDOWS\system32\VTTimer.exe
PID: 1428 Status: -

Path: C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
PID: 1496 Status: -

Path: C:\APPS\ABOARD\ABOARD.EXE
PID: 1520 Status: -

Path: C:\Program Files\Windows Defender\MsMpEng.exe
PID: 1580 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1620 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1660 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1736 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 1744 Status: -

Path: C:\Program Files\Common Files\AOL\1132534367\ee\aolsoftware.exe
PID: 1828 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1960 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 1992 Status: -

Path: C:\WINDOWS\vsnpstd2.exe
PID: 2068 Status: -

Path: C:\APPS\ABOARD\AOSD.EXE
PID: 2088 Status: -

Path: C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
PID: 2104 Status: -

Path: C:\Program Files\QuickTime\qttask.exe
PID: 2248 Status: -

Path: C:\Program Files\Kontiki\KHost.exe
PID: 2340 Status: -

Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 2584 Status: -

Path: C:\Program Files\Common Files\AOL\1132534367\ee\services\antiSpywareApp\ve r2_0_12\AOLSP Scheduler.exe
PID: 2644 Status: -

Path: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PID: 2680 Status: -

Path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PID: 2848 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 2876 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3112 Status: -

Path: C:\Program Files\lg_fwupdate\fwupdate.exe
PID: 3148 Status: -

Path: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 3176 Status: -

Path: C:\Program Files\Common Files\AOL\aoltpspd.exe
PID: 3216 Status: -

Path: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3360 Status: -

Path: C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PID: 3432 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 3700 Status: -

Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 3724 Status: -

Path: C:\Program Files\Nero\Nero 7\InCD\InCD.exe
PID: 3728 Status: -

Path: C:\Program Files\Windows Defender\MSASCui.exe
PID: 3892 Status: -

Path: C:\WINDOWS\SOUNDMAN.EXE
PID: 3908 Status: -

Path: C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
PID: 4088 Status: -

Path: C:\Program Files\AOL 9.0\waol.exe
PID: 4216 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 4832 Status: -

Path: C:\Program Files\Microsoft Office\Office\WINWORD.EXE
PID: 5212 Status: -

Path: C:\Program Files\AOL 9.0\shellmon.exe
PID: 5216 Status: -

Path: D:\DOCUME~1\PAULSI~1\LOCALS~1\Temp\Temporary Directory 1 for RootRepeal.zip\RootRepeal.exe
PID: 5516 Status: -
Reply With Quote
  #22  
Old September 16th, 2009, 05:25 AM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Download combofix.exe and save it to your C folder (C:\ComboFix.exe).

Please disable your antivirus program as it may interfere with ComboFix's routines. Doubleclick on combofix.exe and follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes, Disk Cleanup will run and then a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Reply With Quote
  #23  
Old September 16th, 2009, 07:22 PM
peejay peejay is offline
Senior Member
 
Join Date: Mar 2004
Posts: 102
Here's the log produced by Cobofix. Can you tell me; Are we making any progress here (hopefully!). What have you found?
Thanks again
Paul
__________________________________________________
ComboFix 09-09-14.02 - Paul Simberg 16/09/2009 19:03.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1471.471 [GMT 1:00]
Running from: C:\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2378220718-3294398322-3571734285-1003
c:\recycler\S-1-5-21-3421700463-2875015409-2882359847-1003
c:\windows\Installer\1b997.msi
c:\windows\Installer\276344f.msi
c:\windows\Installer\27b4365d.msi
c:\windows\Installer\e2a9df5.msi
c:\windows\system32\drivers\Sonyhcp.dll
d:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk

.
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-16 18:00 . 2009-09-16 18:00 3315456 ----a-r- C:\ComboFix.exe
2009-09-15 17:43 . 2009-09-15 17:43 0 ----a-w- d:\documents and settings\Paul Simberg\settings.dat
2009-09-13 22:17 . 2009-09-13 22:17 -------- d-----w- d:\documents and settings\Paul Simberg\Application Data\Malwarebytes
2009-09-13 22:17 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 22:17 . 2009-09-13 22:17 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-13 22:17 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 22:17 . 2009-09-13 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 00:01 . 2009-09-13 00:01 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
2009-09-11 06:25 . 2009-09-13 01:44 -------- d-----w- c:\program files\trend micro
2009-09-11 06:25 . 2009-09-13 01:45 -------- d-----w- C:\rsit
2009-09-10 06:28 . 2009-08-22 07:21 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-09-09 20:37 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-16 18:12 . 2008-04-28 18:22 -------- d-----w- d:\documents and settings\All Users\Application Data\Kontiki
2009-09-14 22:13 . 2008-01-12 14:42 -------- d-----w- c:\program files\lg_fwupdate
2009-09-14 21:37 . 2005-11-13 16:35 -------- d-----w- d:\documents and settings\Paul Simberg\Application Data\Skype
2009-09-13 11:08 . 2006-05-02 18:31 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 23:58 . 2006-05-02 18:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 23:00 . 2005-10-01 03:43 -------- d-----w- c:\program files\Java
2009-09-10 06:24 . 2009-02-28 10:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 22:28 . 2005-10-01 03:43 -------- d-----w- c:\program files\Symantec
2009-09-08 22:28 . 2009-06-24 18:27 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-08 22:28 . 2009-06-24 18:27 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-08 22:28 . 2009-06-24 18:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-08 22:28 . 2009-06-24 18:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-16 00:42 . 2007-09-11 17:59 -------- d-----w- c:\program files\eMusic Download Manager
2009-08-16 00:42 . 2005-10-01 03:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-16 00:41 . 2005-12-19 21:34 -------- d-----w- c:\program files\Lavasoft
2009-08-16 00:41 . 2005-12-19 21:34 -------- d-----w- d:\documents and settings\Paul Simberg\Application Data\Lavasoft
2009-07-03 14:49 . 2009-08-16 00:31 15688 ----a-w- c:\windows\system32\lsdelete.exe
2007-11-25 12:28 . 2007-11-25 12:28 8807 ----a-w- c:\program files\hijackthis.log
2005-02-16 11:06 . 2007-11-25 12:28 218112 ----a-w- c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Skype"="c:\apps\skype\phone\Skype.exe" [2007-02-05 25436200]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"HostManager"="c:\program files\Common Files\AOL\1132534367\ee\AOLSoftware.exe" [2006-11-17 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-01-05 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-22 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-26 180269]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-02-10 249856]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-11 147456]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-01-20 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell ******* Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell ******* Tomorrow\\*******.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\1132534367\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [16/08/2009 01:01 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020 .00B\SymEFA.sys [08/09/2009 23:28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00B \BHDrvx86.sys [08/09/2009 23:28 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.0 0B\cchpx86.sys [08/09/2009 23:27 482432]
R1 IDSxpx86;IDSxpx86;d:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090911. 003\IDSXpx86.sys [11/07/2009 20:34 276344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssflt r_tdi.sys [28/02/2009 11:02 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [08/09/2009 23:28 117640]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/06/2009 09:05 102448]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]

--- Other Services/Drivers In Memory ---

*Deregistered* - ATWPKT2

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\HOMERunner.exe
HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_02\bin\jusched.exe
AddRemove-BroadJump Client Foundation - c:\windows\IsUninst.exe -fc:\program files\BroadJump\Client Foundation\Uninst.isu -cc:\program files\BroadJump\Client Foundation\RmvBJCFD.dll
AddRemove-Ulead COOL 360 1.0 - c:\windows\IsUninst.exe -fc:\program files\Ulead Systems\Ulead COOL 360\Uninst.isu



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 19:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N orton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macrome d\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUt il10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-09-16 19:17
ComboFix-quarantined-files.txt 2009-09-16 18:16

Pre-Run: 11,480,748,032 bytes free
Post-Run: 11,437,223,936 bytes free

185 --- E O F --- 2009-09-15 00:49
Reply With Quote
  #24  
Old September 19th, 2009, 11:15 PM
peejay peejay is offline
Senior Member
 
Join Date: Mar 2004
Posts: 102
Steve, Did you manage to check this report? Find anything? Anything else I should do?
Thanks
Paul
Reply With Quote
  #25  
Old September 19th, 2009, 11:30 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Sorry, I missed your reply earlier. Go here and download ATF cleaner. Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others that you would like to remove. If you also use Opera or Firefox, also click on the cleaning options for each browser.

Next, disable your antivirus program and go here -> http://www.eset.com/onlinescan and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Click Start. This scan may take a while, so please be patient. Go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt. Click Edit - Select All then copy/paste that log back here
Reply With Quote
  #26  
Old September 20th, 2009, 03:18 AM
peejay peejay is offline
Senior Member
 
Join Date: Mar 2004
Posts: 102
Thanks. The scan took more than an hour but found no threats. Here's the log:-

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=d7a4a630af5b3f4cbbd5341e47bd3855
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-20 02:16:23
# local_time=2009-09-20 03:16:23 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3588 37 100 96 9641233413750
# compatibility_mode=5889 61 66 100 778705937790000
# scanned=89118
# found=0
# cleaned=0
# scan_time=4816
Reply With Quote
  #27  
Old September 21st, 2009, 10:06 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
How is everything running now?
Reply With Quote
  #28  
Old September 21st, 2009, 11:51 PM
peejay peejay is offline
Senior Member
 
Join Date: Mar 2004
Posts: 102
For the moment, it seems to be running ok. I still find, when opening a folder of photos, not all thumbnails open and the Windows folder box sometimes freezes.

Did you find any malware in any of the scan logs I posted?

Thanks
Paul
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Too many processes running! greener grass Malware Removal 3 July 22nd, 2008 11:44 PM
Running processes #ELMO# Windows XP 1 July 11th, 2007 02:23 PM
Running Processes ooorichyblaise Windows XP 4 February 26th, 2006 03:57 PM
PC Running A Little Slow ... Lots of Processes Running ... HJT LOG xupugh Malware Removal 42 January 26th, 2006 12:08 PM
CPU at 100% with many processes running Dacar92 Malware Removal 2 January 6th, 2005 06:46 AM


All times are GMT +1. The time now is 02:48 PM.