verachion
06-28-2010, 02:09 PM
I don't understand it I have been using my laptop carefully, I have Avast and Spybot working. Anyway the other day I thought had better have a quick check using malware bytes and it found several items that were virus's or trojans I deleted them and thought nothing of it but now when I run Malware bytes it says I have malware.trace and stolen.dat I thought I had better run some reports and see if you guys can help me as I have been a member here for a while and I remember you guys helping me out once or thrice. Anyways here are the logs:
Malware bytes:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4244
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
28/06/2010 19:02:14
mbam-log-2010-06-28 (19-02-14).txt
Scan type: Quick scan
Objects scanned: 121506
Time elapsed: 7 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Secret\AppData\Roaming\data.dat (Stolen.Data) -> No action taken.
HJT:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:08:06, on 28/06/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Ultralingua\Ultralingua 7\ULHotkey.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Secret\AppData\Roaming\avs.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [Ultralingua 7 Hotkey] "C:\Program Files\Ultralingua\Ultralingua 7\ULHotkey.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avs] C:\Users\Secret\AppData\Roaming\avs.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [avs] C:\Users\Secret\AppData\Roaming\avs.exe
O4 - HKLM\..\Policies\Explorer\Run: [avs] C:\Users\Secret\AppData\Roaming\avs.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D57E638-058B-4753-8CA0-E7D581844160}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
--
End of file - 6063 bytes
verachion
06-28-2010, 02:36 PM
Last but not least is the COMBO FIX.txt
ComboFix 10-06-27.06 - Secret 28/06/2010 19:15:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1789.841 [GMT 1:00]
Running from: c:\users\Secret\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! Antivirus *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\_db_big20100221.z ip
c:\favoritevideo\InvisibleFolder\51job100226zantin g15s.swf
c:\favoritevideo\InvisibleFolder\bangniwang100127z anting15s.jpg
c:\favoritevideo\InvisibleFolder\daheng090731cha15 s.swf
c:\favoritevideo\InvisibleFolder\dandantang100211c ha15s.jpg
c:\favoritevideo\InvisibleFolder\dandantang100211q ipao15s.swf
c:\favoritevideo\InvisibleFolder\dandantang100211z anting15s.swf
c:\favoritevideo\InvisibleFolder\dandantang100211z hu15s.swf
c:\favoritevideo\InvisibleFolder\dingpiao100201zhu 15s.swf
c:\favoritevideo\InvisibleFolder\feitianxiyou10022 4zhu15s.swf
c:\favoritevideo\InvisibleFolder\feitianxiyou10022 4zhu15s1.swf
c:\favoritevideo\InvisibleFolder\fuzhuang100205zan ting15s.swf
c:\favoritevideo\InvisibleFolder\fuzhuang100205zhu 15s.swf
c:\favoritevideo\InvisibleFolder\google100226zanti ng15s.swf
c:\favoritevideo\InvisibleFolder\google100226zhu15 s.swf
c:\favoritevideo\InvisibleFolder\gouwujie100211cha 15s.swf
c:\favoritevideo\InvisibleFolder\gouwujie100211qip ao15s.swf
c:\favoritevideo\InvisibleFolder\gouwujie100211zan ting15s.swf
c:\favoritevideo\InvisibleFolder\gouwujie100211zhu 15s.swf
c:\favoritevideo\InvisibleFolder\guangben100201zhu 15s.swf
c:\favoritevideo\InvisibleFolder\juezhantianxia100 131zanting15s.swf
c:\favoritevideo\InvisibleFolder\juezhantianxia100 131zhu15s.swf
c:\favoritevideo\InvisibleFolder\kunlun100226zhu15 s.swf
c:\favoritevideo\InvisibleFolder\meizhuang100205ch a15s.swf
c:\favoritevideo\InvisibleFolder\meizhuang100205ji ao15s.swf
c:\favoritevideo\InvisibleFolder\meizhuang100209zh u15s.swf
c:\favoritevideo\InvisibleFolder\meizhuang100215qi pao15s.swf
c:\favoritevideo\InvisibleFolder\mop100225zanting1 5s.swf
c:\favoritevideo\InvisibleFolder\mop100225zhu15s.s wf
c:\favoritevideo\InvisibleFolder\mop100227zanting1 5s.swf
c:\favoritevideo\InvisibleFolder\mop100227zhu15s.s wf
c:\favoritevideo\InvisibleFolder\mopdiguo100202zhu 15s.swf
c:\favoritevideo\InvisibleFolder\mopdiguo100221zan ting15s.swf
c:\favoritevideo\InvisibleFolder\mopjiushaonv10021 3zanting15s.swf
c:\favoritevideo\InvisibleFolder\mopjiushaonv10021 3zhu15s.swf
c:\favoritevideo\InvisibleFolder\mopxiongba100201z anting15s.swf
c:\favoritevideo\InvisibleFolder\mopxiongba100201z hu15s.swf
c:\favoritevideo\InvisibleFolder\mopzhuawawa100217 zanting15s.swf
c:\favoritevideo\InvisibleFolder\mopzhuawawa100217 zhu15s.swf
c:\favoritevideo\InvisibleFolder\OPPO10203zhu15s.w mv
c:\favoritevideo\InvisibleFolder\pplive091222cha15 s1.jpg
c:\favoritevideo\InvisibleFolder\pplive091222cha15 s2.jpg
c:\favoritevideo\InvisibleFolder\pplivemoren100128 zanting15s.jpg
c:\favoritevideo\InvisibleFolder\pptv3d100121zhu15 s.jpg
c:\favoritevideo\InvisibleFolder\PPTVmoren100120zh u15s.wmv
c:\favoritevideo\InvisibleFolder\qigou100128zhu15s 1.swf
c:\favoritevideo\InvisibleFolder\qiya100210zhu15s. swf
c:\favoritevideo\InvisibleFolder\qqxuanwu100223qip ao15s.swf
c:\favoritevideo\InvisibleFolder\su8100215qipao15s 1.swf
c:\favoritevideo\InvisibleFolder\tiandao100227qipa o15s.swf
c:\favoritevideo\InvisibleFolder\tiandao100227zant ing15s.swf
c:\favoritevideo\InvisibleFolder\tiankong100226qip ao15s.swf
c:\favoritevideo\InvisibleFolder\tianxi100105zhu15 s1.swf
c:\favoritevideo\InvisibleFolder\tianxi100105zhu15 s2.swf
c:\favoritevideo\InvisibleFolder\tianxi100222zhu15 s.swf
c:\favoritevideo\InvisibleFolder\tianxi100224zhu15 sdx.swf
c:\favoritevideo\InvisibleFolder\volvo100212zhu15s .swf
c:\favoritevideo\InvisibleFolder\volvo100225zhu15s .wmv
c:\favoritevideo\InvisibleFolder\wulinyingxiong100 225cha15s.jpg
c:\favoritevideo\InvisibleFolder\wulinyingxiong100 225qipao15s.swf
c:\favoritevideo\InvisibleFolder\wulinyingxiong100 225zanting15s.jpg
c:\favoritevideo\InvisibleFolder\wulinyingxiong100 225zhu15s.swf
c:\users\Secret\AppData\Roaming\avs.exe
c:\users\Secret\AppData\Roaming\data.dat
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.
2010-06-28 18:26 . 2010-06-28 18:26 -------- d-----w- c:\users\Secret\AppData\Local\temp
2010-06-28 18:26 . 2010-06-28 18:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-28 18:07 . 2010-06-28 18:07 388096 begin_of_the_skype_highlighting**************07 388096******end_of_the_skype_highlighting ----a-r- c:\users\Secret\AppData\Roaming\Microsoft\Installe r\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-28 18:07 . 2010-06-28 18:07 -------- d-----w- c:\program files\Trend Micro
2010-06-26 16:20 . 2010-06-26 16:20 -------- d-----w- c:\users\Secret\AppData\Roaming\Malwarebytes
2010-06-26 16:20 . 2010-06-26 16:20 -------- d-----w- c:\programdata\Malwarebytes
2010-06-26 16:20 . 2010-06-26 16:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-26 16:20 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-26 16:08 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-26 16:08 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-26 16:08 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-26 16:08 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-06-26 16:08 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-25 19:47 . 2010-06-25 19:47 -------- d-----w- c:\users\Secret\AppData\Local\Unity
2010-06-12 14:12 . 2010-06-12 14:12 -------- d-----w- c:\program files\TVAnts
2010-06-11 15:47 . 2010-06-11 15:47 -------- d-----w- c:\users\Secret\AppData\Roaming\StreamTorrent
2010-06-11 15:47 . 2010-06-11 15:47 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-06-11 14:31 . 2010-06-11 14:31 -------- d-----w- c:\program files\Veetle
2010-06-10 18:01 . 2010-06-10 18:01 -------- d-----w- c:\programdata\Hewlett-Packard
2010-06-10 18:01 . 2007-03-28 12:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha .dll
2010-06-10 17:59 . 2007-03-28 13:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2010-06-10 17:58 . 2010-06-10 17:58 -------- d-----w- c:\program files\HP
2010-06-10 17:58 . 2010-06-10 18:02 121305 ----a-w- c:\windows\HPHins15.dat
2010-06-10 17:58 . 2007-08-28 21:32 2885 ------w- c:\windows\hphmdl15.dat
2010-06-10 17:57 . 2010-06-10 17:57 -------- d-----w- c:\programdata\HP
2010-06-10 17:57 . 2007-03-31 05:11 267864 ----a-w- c:\windows\system32\hpzids01.dll
2010-06-07 18:33 . 2010-06-07 18:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-07 18:32 . 2010-06-07 18:32 -------- d-----w- c:\program files\Apple Software Update
2010-06-06 20:13 . 2010-06-06 20:13 -------- d-----w- c:\program files\Rosetta Stone
2010-06-06 20:12 . 2010-06-06 20:13 -------- d-----w- c:\programdata\RosettaStoneLtdBackup
2010-06-05 19:35 . 2010-06-06 20:13 -------- d-----w- c:\programdata\FLEXnet
2010-06-05 19:34 . 2010-06-05 19:34 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-06-05 19:33 . 2010-06-12 15:55 -------- d-----w- c:\programdata\Rosetta Stone
.
verachion
06-28-2010, 02:37 PM
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-06-28 18:11 . 2010-02-25 18:44 12 ----a-w- c:\windows\bthservsdp.dat
2010-06-26 17:18 . 2010-03-20 19:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-24 21:51 . 2010-02-21 22:33 -------- d-----w- c:\users\Secret\AppData\Roaming\Skype
2010-06-24 18:19 . 2010-02-21 22:38 -------- d-----w- c:\users\Secret\AppData\Roaming\skypePM
2010-06-23 07:40 . 2010-04-21 19:59 -------- d-----w- c:\users\Secret\AppData\Roaming\Fuil
2010-06-22 20:52 . 2010-03-15 00:07 -------- d-----w- c:\users\Secret\AppData\Roaming\Xaobir
2010-06-12 13:06 . 2010-02-21 20:21 680 ----a-w- c:\users\Secret\AppData\Local\d3d9caps.dat
2010-06-11 14:12 . 2010-02-23 20:18 -------- d-----w- c:\program files\SopCast
2010-06-11 08:50 . 2010-02-28 21:18 -------- d-----w- c:\users\Secret\AppData\Roaming\vlc
2010-06-07 18:34 . 2010-05-17 06:25 -------- d-----w- c:\program files\QuickTime
2010-06-07 18:34 . 2010-05-17 06:25 -------- d-----w- c:\programdata\Apple Computer
2010-06-07 18:31 . 2010-02-21 21:09 -------- d-----w- c:\program files\CCleaner
2010-05-17 21:29 . 2010-05-17 06:28 -------- d-----w- c:\users\Secret\AppData\Roaming\Apple Computer
2010-05-17 06:27 . 2010-05-17 06:26 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-17 06:24 . 2010-05-17 06:22 -------- d-----w- c:\programdata\Apple
2010-05-16 19:59 . 2010-05-16 19:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_ 07_00.Wdf
2010-05-14 17:08 . 2010-03-07 18:15 -------- d-----w- c:\users\Secret\AppData\Roaming\ImgBurn
2010-05-11 18:03 . 2010-05-11 18:03 -------- d-----w- c:\users\Secret\AppData\Roaming\U3
2010-05-11 17:40 . 2010-02-22 06:58 -------- d-----w- c:\programdata\Microsoft Help
2010-05-09 16:46 . 2010-05-09 16:46 -------- d-----w- c:\program files\MWSnap
2010-05-09 16:04 . 2010-02-21 21:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-09 16:04 . 2010-03-21 11:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\programdata\WindowsSearch
2010-05-08 14:43 . 2010-05-08 14:42 -------- d-----w- c:\program files\VistaCodecPack
2010-05-08 14:43 . 2010-05-08 14:43 -------- d-----w- c:\users\Secret\AppData\Roaming\VistaCodecs
2010-05-08 14:43 . 2010-05-08 14:41 -------- d-----w- c:\programdata\VistaCodecs
2010-05-06 20:59 . 2010-02-21 21:10 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-02-21 21:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-02-21 21:12 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-02-21 21:12 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:34 . 2010-02-21 21:12 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-06 20:33 . 2010-02-21 21:12 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-03 16:59 . 2010-05-03 16:59 -------- d-----w- c:\users\Secret\AppData\Roaming\PC Tools
2010-05-03 16:59 . 2010-05-03 16:59 -------- d-----w- c:\programdata\PC Tools
2010-04-14 16:47 . 2010-02-21 21:10 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-12 18:01 . 2010-04-12 18:02 411368 begin_of_the_skype_highlighting 02 411368 end_of_the_skype_highlighting ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-16 322352]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-09-26 417792]
"Ultralingua 7 Hotkey"="c:\program files\Ultralingua\Ultralingua 7\ULHotkey.exe" [2009-11-04 1483264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba TEMPRO]
2009-12-01 12:12 1045976 ----a-w- c:\program files\Toshiba TEMPRO\TemproTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a1,b7,99,4b,0e,b4,ca,01
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2009-12-21 16456]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2009-12-21 11088]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-02-21 721904]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\as wMonFlt.sys [2010-05-06 51792]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [2009-12-01 116176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{D7D9DA7C-B2AA-81FC-C2A8-4FDAAA02EEF9}]
c:\users\Secret\AppData\Roaming\avs.exe [BU]
.
Contents of the 'Scheduled Tasks' folder
2010-06-28 c:\windows\Tasks\User_Feed_Synchronization-{0F5F83BD-3BD6-4946-8078-9AB9A4171581}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {2D57E638-058B-4753-8CA0-E7D581844160} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Secret\AppData\Roaming\Mozilla\Firefox\Pr ofiles\87ugc5oi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - [url]www.google.com[/url]
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.d ll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug. dll
FF - plugin: c:\users\Secret\AppData\LocalLow\Unity\WebPlayer\l oader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
verachion
06-28-2010, 02:38 PM
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere_ _temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-avs - c:\users\Secret\AppData\Roaming\avs.exe
HKLM-Run-avs - c:\users\Secret\AppData\Roaming\avs.exe
HKLM-Explorer_Run-avs - c:\users\Secret\AppData\Roaming\avs.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
ActiveSetup-{D7D9DA7C-B2AA-81FC-C2A8-4FDAAA02EEF9} - c:\users\Secret\AppData\Roaming\avs.exe
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 19:26
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3228581124-2778868214-3572035502-1000\Software\SecuROM\License information*]
"datasecu"=hex:ed,d4,1a,b8,2b,78,2b,f9,d4,9e,0a,16,5c,41,8b, 9c,86,a4,ea,04,84,
c8,43,bf,01,9d,7e,a3,95,12,55,8a,a0,48,76,8e,ee,8e ,c4,80,a8,54,c2,e2,1b,b2,\
"rkeysecu"=hex:73,6b,4e,33,07,72,2b,04,9f,c7,13,d3,dc,58,cd, 9c
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-06-28 19:31:04
ComboFix-quarantined-files.txt 2010-06-28 18:31
Pre-Run: 68,720,881,664 bytes free
Post-Run: 68,696,383,488 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
- - End Of File - - 2972DBCD64CE39876DBFA72D20869F27
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.