VirTool:Win32/Ursnif.A

Unknown · May 2009

What is wrong with my copmuter I've run like 10 OneCare Scans and its not going away I need major help plz.... It says its a Trojan I'm technologically challenged.... I tried restarted and quarentine but nothing helps what is it? how can I make it go way?

Trogan · May 2009

Hi,

We need to see a HijackThis log.
Download HJTInstall.exe to your Desktop.

Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Save the log to a convenient location as you'll need to post it soon.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Post the HijackThis log back here.

cpaz · May 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:26 PM, on 5/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - https://ra.qwest.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://ra.qwest.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197504937515
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
--
End of file - 7384 bytes

Katana · June 2009

Sorry for the delay, it looks like Trogan is busy.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

cpaz · June 2009

ComboFix 09-06-05.09 - Owner 06/06/2009 11:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.545 [GMT -7:00]
Running from: c:\documents and settings\Owner.GATEWAY\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner.GATEWAY\Application Data\ShoppingReport
c:\documents and settings\Owner.GATEWAY\Application Data\ShoppingReport\cs\Config.xml
c:\program files\ShoppingReport
c:\windows\system32\getwn32.dll
c:\windows\system32\TDSSfxwp.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSqnsa.dll
c:\windows\system32\TDSSsbct.dat
c:\windows\system32\TDSStskp.log
c:\windows\system32\termsrv.dll
c:\windows\system32\wertyu.dll
D:\Autorun.inf
D:\Desktop.ini
.
((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.
2009-05-30 00:20 . 2009-05-30 00:20

d

w- c:\documents and settings\Cynthia.GATEWAY.000\Local Settings\Application Data\Adobe
2009-05-29 02:41 . 2009-05-29 02:41

d-sh--w- c:\documents and settings\Cynthia.GATEWAY.000\PrivacIE
2009-05-28 21:27 . 2009-05-28 21:27

d

w- c:\program files\Trend Micro
2009-05-27 05:00 . 2009-05-27 05:00 152576 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-27 04:45 . 2009-05-27 04:45

d--h--w- c:\windows\system32\GroupPolicy
2009-05-27 02:46 . 2009-05-27 02:46 29352 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HASFix058456.dll
2009-05-27 02:46 . 2009-05-27 02:46 23720 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HelpAndSupport_TestContent.dll
2009-05-27 02:46 . 2009-05-27 02:46 23056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HASFix101001.dll
2009-05-27 02:46 . 2009-05-27 02:46 221208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HelpAndSupportCommon.dll
2009-05-27 02:46 . 2009-05-27 02:46 21160 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HASFix056479.dll
2009-05-27 02:46 . 2009-05-27 02:46 110248 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HelpAndSupportInterface.dll
2009-05-26 22:03 . 2007-11-28 05:56 91328 ----a-w- c:\windows\system32\drivers\msfwdrv.sys
2009-05-26 22:03 . 2007-11-28 05:56 116416 ----a-w- c:\windows\system32\drivers\msfwhlpr.sys
2009-05-26 22:02 . 2008-05-15 23:15 53168 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2009-05-26 21:56 . 2009-06-06 18:13

d

w- c:\program files\Microsoft Windows OneCare Live
2009-05-24 17:25 . 2009-05-24 17:25

d

w- c:\windows\system32\wbem\Repository
2009-05-24 05:18 . 2009-05-24 05:18

d

w- c:\documents and settings\Cynthia.GATEWAY\PrivacIE
2009-05-24 05:05 . 2009-05-28 02:20

d

w- c:\program files\Windows Live Safety Center
2009-05-24 04:41 . 2009-05-24 17:23

d

w- c:\program files\Common Files\PC Tools
2009-05-23 21:37 . 2009-05-24 17:23

d

w- c:\program files\Microsoft Windows OneCare Live(3)
2009-05-23 20:04 . 2009-05-23 20:04

d

w- c:\documents and settings\Cynthia\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 18:32 . 2007-02-03 16:38

d

w- c:\documents and settings\Owner.GATEWAY\Application Data\LimeWire
2009-06-04 22:08 . 2006-11-29 03:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-04 19:50 . 2007-02-03 16:38

d

w- c:\program files\LimeWire
2009-05-30 00:20 . 2009-05-29 02:37 56728 ----a-w- c:\documents and settings\Cynthia.GATEWAY.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-27 05:02 . 2006-08-10 15:05

d

w- c:\program files\Java
2009-05-27 04:59 . 2006-08-10 15:05

d

w- c:\program files\BigFix
2009-05-27 04:31 . 2006-08-10 15:09

d

w- c:\documents and settings\All Users\Application Data\Napster
2009-05-27 04:31 . 2006-08-10 15:09

d

w- c:\program files\Napster
2009-05-24 17:23 . 2006-08-10 15:01

d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 05:17 . 2009-05-24 05:17 56728 ----a-w- c:\documents and settings\Cynthia.GATEWAY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 20:03 . 2009-04-28 23:22 56728 ----a-w- c:\documents and settings\Cynthia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 05:01 . 2007-01-07 23:31 7880 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\wklnhst.dat
2009-05-11 03:56 . 2008-05-11 05:02

d

w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox
2009-04-27 02:46 . 2009-02-08 03:52 56728 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-24 11:11 . 2009-04-24 11:11 205448 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxDvd.exe
2009-04-24 11:11 . 2009-04-24 11:11 168584 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxBrowserEngine.dll
2009-04-24 11:11 . 2008-05-19 20:06 254600 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxTray.exe
2009-04-24 11:11 . 2008-04-30 20:48 373384 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxStarter.exe
2009-04-24 11:05 . 2009-04-24 11:05 1544840 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxClient.exe
2009-04-24 10:44 . 2009-04-24 10:44 340616 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-04-24 10:44 . 2009-04-24 10:44 123528 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxUpdater.exe
2009-04-11 00:43 . 2009-04-11 00:43

d

w- c:\program files\iTunes
2009-04-11 00:43 . 2009-04-11 00:43

d

w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 00:43 . 2009-04-11 00:43

d

w- c:\program files\iPod
2009-04-11 00:43 . 2008-03-10 16:24

d

w- c:\program files\Common Files\Apple
2009-04-11 00:33 . 2009-04-11 00:33 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-21 19:06 . 2006-06-19 04:25 56728 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2006-09-19 22:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 12:19 . 2008-10-25 21:17 410984 ----a-w- c:\windows\system32\deploytk.dll
.

Sigcheck

[-] 2004-08-10 19:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-11-30 04:24 507904 !HASH: COULD NOT OPEN FILE ! c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7311360]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\Owner.GATEWAY\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-5-22 139776]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 10:59 AM 24936]
S3 SPCA508A;Micro WebCam;c:\windows\system32\drivers\SPCA508A.SYS [10/4/2008 7:58 PM 99014]
.
Contents of the 'Scheduled Tasks' folder
2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2009-06-06 c:\windows\Tasks\User_Feed_Synchronization-{1EA982A3-63F8-426F-95D7-45253B5589A6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-procexp90.Sys
SafeBoot-svcWRSSSDK
MSConfigStartUp-SVCHOST - (no file)

.

Supplementary Scan

.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
Trusted Zone: plaxo.com\www
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 11:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

LOCKED REGISTRY KEYS

[HKEY_USERS\S-1-5-21-1056876846-1819165761-3920593764-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.

DLLs Loaded Under Running Processes

- - - - - - - > 'explorer.exe'(2360)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-06-06 11:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-06 18:40
Pre-Run: 213,354,987,520 bytes free
Post-Run: 213,715,542,016 bytes free
210 --- E O F --- 2009-05-24 17:32

cpaz · June 2009

Hey Thanks this is the Program List:

2WIRE Wireless LAN - USB Driver
Actiontec Gateway
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Apple Mobile Device Support
Apple Software Update
Blasterball 2 Revolution
Bonjour
Browser Address Error Redirector
Choice Guard
Critical Update for Windows Media Player 11 (KB959772)
Digital Media Reader
Diner Dash
DIOR Screen Saver
DVD Solution
Gateway Game Console
Geek Squad 24 Hour Computer Support
Google SketchUp 6
Google SketchUp 6
GTOneCare
gtw_logo
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
iTunes
James Bond 007: Nightfire
Java(TM) 6 Update 13
Junk Mail filter update
LimeWire 5.1.3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Away Mode
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Standard Edition 2003
Microsoft Protection Service
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Live OneCare Resources v2.5.2900.24
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v2.5.2900.24
Microsoft Windows OneCare Live v2.5.2900.24 Idcrl Install
Microsoft Works
Microsoft WorldWide Telescope
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia Keyboard Driver
Napster Burn Engine
NVIDIA Drivers
Penguins!
Polar Bowler
Polar Golfer
Power2Go 4.0
PowerDVD
PX Engine
QuickTime
RealPlayer Basic
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Red Faction
Rhapsody
Rhapsody Player Engine
Rhapsody Player Engine
Safari
SCRABBLE
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
Sibelius Scorch (ActiveX Only)
Soft Data Fax Modem with SmartCP
Sonic Encoders
Tradewinds
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Virtual Earth 3D (Beta)
WildTangent Web Driver
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Yahoo! Messenger

Katana · June 2009

Information

IMPORTANT
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire 5.1.3
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs
Please note: you must NOT use any P2P whilst we are cleaning your machine.

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 2

Custom CFScript

If Combofix asks to install Recovery Consol, please allow it to do so

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
```
FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe|c:\windows\system32\winlogon.exe
ADS::
```
Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
Combofix Log
Kaspersky Log
How are things running now ?

Additional Notes

Your Java and Adobe is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java and Adobe components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) from HERE
Scroll down to where it says "Java SE Runtime Environment (JRE)".
Click the "Download" button to the right.
- Platform = Windows
- Language = Multi Language
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Update Adobe Acrobat Reader
Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

Please go to this link Adobe Acrobat Reader Download Link
Cllick Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

Remove Programs
Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.

Adobe Reader 8.1.2
Java(TM) 6 Update 13

Now close the Control Panel.

Reboot your machine.

cpaz · June 2009

ok so after that whole thing it worked fine but today I turned it on again and the same one care window opened up...

cpaz · June 2009

Malwarebytes' Anti-Malware 1.37
Database version: 2249
Windows 5.1.2600 Service Pack 3
6/8/2009 6:21:50 PM
mbam-log-2009-06-08 (18-21-50).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 217434
Time elapsed: 1 hour(s), 40 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
d:\i386\Apps\App20460\imgvemver1.6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

ComboFix 09-06-08.02 - Owner 06/08/2009 18:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.608 [GMT -7:00]
Running from: c:\documents and settings\Owner.GATEWAY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.GATEWAY\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\kb913800.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.
2009-06-08 23:11 . 2009-06-08 23:11

d

w- c:\documents and settings\Owner.GATEWAY\Application Data\Malwarebytes
2009-06-08 23:10 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 23:10 . 2009-06-08 23:10

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 23:10 . 2009-06-08 23:10

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 23:10 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-07 18:28 . 2009-06-07 18:29

d

w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2009-05-30 00:20 . 2009-05-30 00:20

d

w- c:\documents and settings\Cynthia.GATEWAY.000\Local Settings\Application Data\Adobe
2009-05-29 02:41 . 2009-05-29 02:41

d-sh--w- c:\documents and settings\Cynthia.GATEWAY.000\PrivacIE
2009-05-28 21:27 . 2009-05-28 21:27

d

w- c:\program files\Trend Micro
2009-05-27 05:00 . 2009-05-27 05:00 152576 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-27 04:45 . 2009-05-27 04:45

d--h--w- c:\windows\system32\GroupPolicy
2009-05-24 17:25 . 2009-05-24 17:25

d

w- c:\windows\system32\wbem\Repository
2009-05-24 05:18 . 2009-05-24 05:18

d

w- c:\documents and settings\Cynthia.GATEWAY\PrivacIE
2009-05-24 05:05 . 2009-05-28 02:20

d

w- c:\program files\Windows Live Safety Center
2009-05-24 04:41 . 2009-05-24 17:23

d

w- c:\program files\Common Files\PC Tools
2009-05-23 21:37 . 2009-05-24 17:23

d

w- c:\program files\Microsoft Windows OneCare Live(3)
2009-05-23 20:04 . 2009-05-23 20:04

d

w- c:\documents and settings\Cynthia\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 23:43 . 2008-03-10 16:24

d

w- c:\program files\Common Files\Apple
2009-06-08 23:10 . 2007-02-03 16:38

d

w- c:\program files\LimeWire
2009-06-08 23:09 . 2008-09-26 22:27

d

w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-08 23:03 . 2007-02-03 16:38

d

w- c:\documents and settings\Owner.GATEWAY\Application Data\LimeWire
2009-06-08 04:11 . 2007-01-07 23:31 7880 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\wklnhst.dat
2009-06-04 22:08 . 2006-11-29 03:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-30 00:20 . 2009-05-29 02:37 56728 ----a-w- c:\documents and settings\Cynthia.GATEWAY.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-27 05:02 . 2006-08-10 15:05

d

w- c:\program files\Java
2009-05-27 04:59 . 2006-08-10 15:05

d

w- c:\program files\BigFix
2009-05-27 04:31 . 2006-08-10 15:09

d

w- c:\documents and settings\All Users\Application Data\Napster
2009-05-27 04:31 . 2006-08-10 15:09

d

w- c:\program files\Napster
2009-05-24 17:23 . 2006-08-10 15:01

d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 05:17 . 2009-05-24 05:17 56728 ----a-w- c:\documents and settings\Cynthia.GATEWAY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 20:03 . 2009-04-28 23:22 56728 ----a-w- c:\documents and settings\Cynthia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 03:56 . 2008-05-11 05:02

d

w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox
2009-04-27 02:46 . 2009-02-08 03:52 56728 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-24 11:11 . 2009-04-24 11:11 205448 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxDvd.exe
2009-04-24 11:11 . 2009-04-24 11:11 168584 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxBrowserEngine.dll
2009-04-24 11:11 . 2008-05-19 20:06 254600 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxTray.exe
2009-04-24 11:11 . 2008-04-30 20:48 373384 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxStarter.exe
2009-04-24 11:05 . 2009-04-24 11:05 1544840 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxClient.exe
2009-04-24 10:44 . 2009-04-24 10:44 340616 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-04-24 10:44 . 2009-04-24 10:44 123528 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxUpdater.exe
2009-04-11 00:43 . 2009-04-11 00:43

d

w- c:\program files\iTunes
2009-04-11 00:43 . 2009-04-11 00:43

d

w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 00:43 . 2009-04-11 00:43

d

w- c:\program files\iPod
2009-04-11 00:33 . 2009-04-11 00:33 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-21 19:06 . 2006-06-19 04:25 56728 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2006-09-19 22:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.

Sigcheck

[-] 2004-08-10 19:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-11-30 04:24 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-06-06_18.31.01"]SnapShot@2009-06-06_18.31.01[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-09 01:41 . 2009-06-09 01:41 16384 c:\windows\Temp\Perflib_Perfdata_71c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7311360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S3 SPCA508A;Micro WebCam;c:\windows\system32\drivers\SPCA508A.SYS [10/4/2008 7:58 PM 99014]
.
Contents of the 'Scheduled Tasks' folder
2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2009-06-09 c:\windows\Tasks\User_Feed_Synchronization-{1EA982A3-63F8-426F-95D7-45253B5589A6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.

Supplementary Scan

.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: plaxo.com\www
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 18:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
.

LOCKED REGISTRY KEYS

[HKEY_USERS\S-1-5-21-1056876846-1819165761-3920593764-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-06-09 18:52
ComboFix-quarantined-files.txt 2009-06-09 01:51
ComboFix2.txt 2009-06-06 18:40
Pre-Run: 213,730,258,944 bytes free
Post-Run: 213,778,927,616 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
153 --- E O F --- 2009-05-24 17:32

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, June 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 09, 2009 03:12:12
Records in database: 2328408

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\
Scan statistics:
Files scanned: 95465
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:08:01

File name / Threat name / Threats count
C:\Documents and Settings\Owner.GATEWAY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-50be232b-5ee73ea8.zip Infected: Trojan.Java.ClassLoader.as 1
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
The selected area was scanned.

Katana · June 2009

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\Documents and Settings\Owner.GATEWAY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-50be232b-5ee73ea8.zip
FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe|c:\windows\system32\winlogon.exe
File::
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe

ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

cpaz · June 2009

ComboFix 09-06-09.06 - Owner 06/10/2009 14:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.532 [GMT -7:00]
Running from: c:\documents and settings\Owner.GATEWAY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.GATEWAY\My Documents\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FILE ::
"c:\documents and settings\Owner.GATEWAY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-50be232b-5ee73ea8.zip"
"d:\i386\Apps\App00577\comps\toolbar\toolbr.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner.GATEWAY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-50be232b-5ee73ea8.zip
d:\i386\Apps\App00577\comps\toolbar\toolbr.exe
.

FCopy

c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.
2009-06-09 19:08 . 2009-06-09 19:08 152576 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 04:40 . 2009-06-10 20:42

d

w- c:\program files\Microsoft Windows OneCare Live
2009-06-08 23:11 . 2009-06-08 23:11

d

w- c:\documents and settings\Owner.GATEWAY\Application Data\Malwarebytes
2009-06-08 23:10 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 23:10 . 2009-06-08 23:10

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 23:10 . 2009-06-08 23:10

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 23:10 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-07 18:28 . 2009-06-07 18:29

d

w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2009-05-30 00:20 . 2009-05-30 00:20

d

w- c:\documents and settings\Cynthia.GATEWAY.000\Local Settings\Application Data\Adobe
2009-05-29 02:41 . 2009-05-29 02:41

d-sh--w- c:\documents and settings\Cynthia.GATEWAY.000\PrivacIE
2009-05-28 21:27 . 2009-05-28 21:27

d

w- c:\program files\Trend Micro
2009-05-27 05:00 . 2009-05-27 05:00 152576 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-27 04:45 . 2009-05-27 04:45

d--h--w- c:\windows\system32\GroupPolicy
2009-05-24 17:25 . 2009-05-24 17:25

d

w- c:\windows\system32\wbem\Repository
2009-05-24 05:18 . 2009-05-24 05:18

d

w- c:\documents and settings\Cynthia.GATEWAY\PrivacIE
2009-05-24 05:05 . 2009-05-28 02:20

d

w- c:\program files\Windows Live Safety Center
2009-05-24 04:41 . 2009-05-24 17:23

d

w- c:\program files\Common Files\PC Tools
2009-05-23 21:37 . 2009-05-24 17:23

d

w- c:\program files\Microsoft Windows OneCare Live(3)
2009-05-23 20:04 . 2009-05-23 20:04

d

w- c:\documents and settings\Cynthia\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 19:26 . 2006-08-10 15:05

d

w- c:\program files\Java
2009-06-08 23:43 . 2008-03-10 16:24

d

w- c:\program files\Common Files\Apple
2009-06-08 23:10 . 2007-02-03 16:38

d

w- c:\program files\LimeWire
2009-06-08 23:09 . 2008-09-26 22:27

d

w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-08 23:03 . 2007-02-03 16:38

d

w- c:\documents and settings\Owner.GATEWAY\Application Data\LimeWire
2009-06-08 04:11 . 2007-01-07 23:31 7880 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\wklnhst.dat
2009-06-04 22:08 . 2006-11-29 03:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-30 00:20 . 2009-05-29 02:37 56728 ----a-w- c:\documents and settings\Cynthia.GATEWAY.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-27 04:59 . 2006-08-10 15:05

d

w- c:\program files\BigFix
2009-05-27 04:31 . 2006-08-10 15:09

d

w- c:\documents and settings\All Users\Application Data\Napster
2009-05-27 04:31 . 2006-08-10 15:09

d

w- c:\program files\Napster
2009-05-24 17:23 . 2006-08-10 15:01

d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 05:17 . 2009-05-24 05:17 56728 ----a-w- c:\documents and settings\Cynthia.GATEWAY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 20:03 . 2009-04-28 23:22 56728 ----a-w- c:\documents and settings\Cynthia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 18:33 . 2008-10-25 21:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-11 03:56 . 2008-05-11 05:02

d

w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox
2009-04-27 02:46 . 2009-02-08 03:52 56728 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-24 11:11 . 2009-04-24 11:11 205448 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxDvd.exe
2009-04-24 11:11 . 2009-04-24 11:11 168584 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxBrowserEngine.dll
2009-04-24 11:11 . 2008-05-19 20:06 254600 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxTray.exe
2009-04-24 11:11 . 2008-04-30 20:48 373384 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxStarter.exe
2009-04-24 11:05 . 2009-04-24 11:05 1544840 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxClient.exe
2009-04-24 10:44 . 2009-04-24 10:44 340616 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-04-24 10:44 . 2009-04-24 10:44 123528 ----a-w- c:\documents and settings\Owner.GATEWAY\Application Data\Smilebox\SmileboxUpdater.exe
2009-04-11 00:33 . 2009-04-11 00:33 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-21 19:06 . 2006-06-19 04:25 56728 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2006-09-19 22:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-06_18.31.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-10 20:19 . 2009-06-10 20:19 16384 c:\windows\Temp\Perflib_Perfdata_76c.dat
- 2009-05-27 05:02 . 2009-03-09 12:19 148888 c:\windows\system32\javaws.exe
+ 2009-06-09 19:27 . 2009-05-21 18:34 148888 c:\windows\system32\javaws.exe
+ 2009-06-09 19:27 . 2009-05-21 18:34 144792 c:\windows\system32\javaw.exe
- 2009-05-27 05:02 . 2009-03-09 12:19 144792 c:\windows\system32\javaw.exe
+ 2009-06-09 19:27 . 2009-05-21 18:34 144792 c:\windows\system32\java.exe
- 2009-05-27 05:02 . 2009-03-09 12:19 144792 c:\windows\system32\java.exe
+ 2006-06-17 09:23 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7311360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S3 SPCA508A;Micro WebCam;c:\windows\system32\drivers\SPCA508A.SYS [10/4/2008 7:58 PM 99014]
--- Other Services/Drivers In Memory ---
*Deregistered* - MSFWDrv
.
Contents of the 'Scheduled Tasks' folder
2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2009-06-10 c:\windows\Tasks\User_Feed_Synchronization-{1EA982A3-63F8-426F-95D7-45253B5589A6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.

Supplementary Scan

.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: plaxo.com\www
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 14:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

LOCKED REGISTRY KEYS

[HKEY_USERS\S-1-5-21-1056876846-1819165761-3920593764-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-06-10 14:12
ComboFix-quarantined-files.txt 2009-06-10 21:11
ComboFix2.txt 2009-06-09 01:52
ComboFix3.txt 2009-06-06 18:40
Pre-Run: 214,934,282,240 bytes free
Post-Run: 215,025,238,016 bytes free
160 --- E O F --- 2009-05-24 17:32

It seems to be working fine now.....one care is still not wanting to work but the threat is not there.....I took limewire out was that the only P2P program? THANK YOU so much

Katana · June 2009

1) one care is still not wanting to work
2)I took limewire out was that the only P2P program?

1) You didn't mention this before, what is the problem ?
2) LimeWire is the only one I can see.

cpaz · June 2009

One Care won't start, and when I open the programm it just doesn't run it says the program is not responding and the welcome screen never dissappears

Katana · June 2009

When did this problem start ?

cpaz · June 2009

It started about the same time that I started getting the VirTool:Win32 message....and I've uninsstalled it and installed it twice, but not luck....

Katana · June 2009

I apologise for the delay, I am having appalling connection problems.
I will get back ASAP.

Katana · June 2009

and I've uninsstalled it and installed it twice, but not luck....

It sounds like a problem with the program itself, you will need to contact the OneCare help center.

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.

Uninstall Combofix

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware isnot the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
[*]Spybot - Search & Destroy <<< A must have program

It includes host protection and registry protection
A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

[*] MalwareBytes Anti-malware <<< A New and effective program
[*]a-squared Free <<< A good "realtime" or "on demand" scanner
[*]superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys. Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialise and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

FireFox
- With many addons available that make customization easy this is a very popular choice
- NoScript and AdBlockPlus addons are essential
Opera
- Another popular alternative
Netscape
- Another popular alternative
- Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

VirTool:Win32/Ursnif.A

Comments