Consola de recuperación de XP se cuelga. () resuelto
- ATNO/TW
- Super Moderator
- Registrado: May 28, 2003
- Mensajes: 23403
- Loc: Woodbridge VA
- Status: Offline
Septiembre 28th, 2009, 10:21 am
Se trata de uno nuevo en mí. Buscando ideas.
Disponer de un PC Dell que BSODd esta mañana con UNMOUNTABLE_BOOT_VOLUME
Error en la misma tratando de arrancar en modo seguro.
Se metió en RC de una vez y ha hecho un fixmbr que normalmente funciona bien.
Esta vez no lo hizo, Im intentando volver a la consola de recuperación para ejecutar un CHKDSK fixmbr y tal vez, pero ahora se cuelga en RC "Disco del examen 252587 MB 0 en Id. 0 en bus 0 en iastor..."
Visto en muchos puestos de personas con el mismo problema en las búsquedas, pero no hemos encontrado ninguna con una resolución o una posible razón.
¿Alguna idea para resolver esto?
(Puedo llegar a la opción de reparación de instalación de XP, pero Im salvar una instalación de reparación, como última opción. )
La unidad es SATA, si eso ayuda
Disponer de un PC Dell que BSODd esta mañana con UNMOUNTABLE_BOOT_VOLUME
Error en la misma tratando de arrancar en modo seguro.
Se metió en RC de una vez y ha hecho un fixmbr que normalmente funciona bien.
Esta vez no lo hizo, Im intentando volver a la consola de recuperación para ejecutar un CHKDSK fixmbr y tal vez, pero ahora se cuelga en RC "Disco del examen 252587 MB 0 en Id. 0 en bus 0 en iastor..."
Visto en muchos puestos de personas con el mismo problema en las búsquedas, pero no hemos encontrado ninguna con una resolución o una posible razón.
¿Alguna idea para resolver esto?
(Puedo llegar a la opción de reparación de instalación de XP, pero Im salvar una instalación de reparación, como última opción. )
La unidad es SATA, si eso ayuda
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
- Anonymous
- Bot
- Registrado: 25 Feb 2008
- Mensajes: ?
- Loc: Ozzuland
- Status: Online
Septiembre 28th, 2009, 10:21 am
- Don2007
- Web Master
- Registrado: Nov 21, 2006
- Mensajes: 4924
- Loc: NY
- Status: Offline
Septiembre 28th, 2009, 10:28 am
Mira el CD de arranque. Podría estar dañado o simplemente sucio. Limpiarla, a ver qué pasa.
How do you know when a politician is lying? His mouth is moving.
- ATNO/TW
- Super Moderator
- Registrado: May 28, 2003
- Mensajes: 23403
- Loc: Woodbridge VA
- Status: Offline
Septiembre 29th, 2009, 6:28 am
Gracias por el dato don, pero el CD estaba limpio y bien.
Esto se pone interesante. Ive estado viendo mucho más de esto últimamente (de hecho 6 veces en los últimos dos meses). Usé un viejo "truco" me acordé y desconectada de la máquina, sacó la batería CMOS y dejar reposar durante media hora para descargar los condensadores. Poner de nuevo en arrancar y configurar para probar el hardware. Ran un sistema de cuatro horas y todas las pruebas de diagnóstico aprobado por lo que descarta fallos de hardware.
Después fue capaz de arrancar a la consola de recuperación.
Publicó un chkdsk y fixmbr y lo consiguió arrancar.
Heres la parte interesante. Dado que Ive visto ya que esto ocurra varias veces en el último mes, inmediatamente corrió combofix (su todavía en ejecución) y su conclusión de todo tipo de desagradables. En pocas palabras, mi mejor conjetura es theres al menos varios virus / malware por ahí, ahora que parece que les gusta volver a escribir el MBR.
Y yo sé cómo lo ha conseguido. Él hizo una búsqueda en Google de una página de fiar Comisión Reguladora Nuclear, y clic en el enlace que era exactamente igual que lo que estaba buscando. Por desgracia, no se parecía en el hipervínculo de cerca cuando se hace clic en él, y ¡pum! (Incluso la empresa Symantec no lo pudieron detener). Miré a varios de los archivos DLL Combofix ha encontrado ya y cada uno de ellos se resisten a los interrogatorios de los productos de seguridad.
Adivinar su ejemplo de no importa cómo navegar con seguridad usted, usted todavía puede obtener clavado.
Esto se pone interesante. Ive estado viendo mucho más de esto últimamente (de hecho 6 veces en los últimos dos meses). Usé un viejo "truco" me acordé y desconectada de la máquina, sacó la batería CMOS y dejar reposar durante media hora para descargar los condensadores. Poner de nuevo en arrancar y configurar para probar el hardware. Ran un sistema de cuatro horas y todas las pruebas de diagnóstico aprobado por lo que descarta fallos de hardware.
Después fue capaz de arrancar a la consola de recuperación.
Publicó un chkdsk y fixmbr y lo consiguió arrancar.
Heres la parte interesante. Dado que Ive visto ya que esto ocurra varias veces en el último mes, inmediatamente corrió combofix (su todavía en ejecución) y su conclusión de todo tipo de desagradables. En pocas palabras, mi mejor conjetura es theres al menos varios virus / malware por ahí, ahora que parece que les gusta volver a escribir el MBR.
Y yo sé cómo lo ha conseguido. Él hizo una búsqueda en Google de una página de fiar Comisión Reguladora Nuclear, y clic en el enlace que era exactamente igual que lo que estaba buscando. Por desgracia, no se parecía en el hipervínculo de cerca cuando se hace clic en él, y ¡pum! (Incluso la empresa Symantec no lo pudieron detener). Miré a varios de los archivos DLL Combofix ha encontrado ya y cada uno de ellos se resisten a los interrogatorios de los productos de seguridad.
Adivinar su ejemplo de no importa cómo navegar con seguridad usted, usted todavía puede obtener clavado.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
- Don2007
- Web Master
- Registrado: Nov 21, 2006
- Mensajes: 4924
- Loc: NY
- Status: Offline
Septiembre 29th, 2009, 6:52 am
¿Cómo estás tan seguro de que la causa fue que el link?
How do you know when a politician is lying? His mouth is moving.
- ATNO/TW
- Super Moderator
- Registrado: May 28, 2003
- Mensajes: 23403
- Loc: Woodbridge VA
- Status: Offline
Septiembre 29th, 2009, 7:19 am
Yo había limpiado su ordenador hace una semana, porque había algunos antivirus sin escrúpulos.
Me mostró el vínculo ha hecho clic. En ese momento el equipo no se ha reiniciado. Se reinicia el fin de semana, y es ahí cuando todo se convirtió realmente en muy activa Supongo que (usted lo verá en muchas de las entradas de arranque).
Además, una entrada en el registro me muestra que uno de los desagradables control antivirus deshabilitado en Symantec.
La otra cosa que hizo fue Ntvdm.exe infectar a que es un sistema central de archivos que permite a aplicaciones de 16 bits para ejecutarse en máquinas de 32-bits.
Me mostró el vínculo ha hecho clic. En ese momento el equipo no se ha reiniciado. Se reinicia el fin de semana, y es ahí cuando todo se convirtió realmente en muy activa Supongo que (usted lo verá en muchas de las entradas de arranque).
Además, una entrada en el registro me muestra que uno de los desagradables control antivirus deshabilitado en Symantec.
Quote:
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ centro de seguridad \ Control \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
"DisableMonitoring" = dword: 00000001
La otra cosa que hizo fue Ntvdm.exe infectar a que es un sistema central de archivos que permite a aplicaciones de 16 bits para ejecutarse en máquinas de 32-bits.
Quote:
#Copia infectada de c: \ windows \ system32 \ Ntvdm.exe fue encontrado y desinfectado
#Copia restaurada de - c: \ windows \ system32 \ drivers \ Ntvdm.exe
#Copia restaurada de - c: \ windows \ system32 \ drivers \ Ntvdm.exe
Código: [ Select ]
ComboFix 09-09-28.01 - Administrator 09/29/2009 9:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2360 [GMT -4:00]
Running from: i:\userhomes\bowkerm\Utilities\Spyware\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\alot
c:\documents and settings\All Users\Microsoft Private Data
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
c:\documents and settings\collins\Application Data\alot
c:\documents and settings\faulkp\Application Data\alot
c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml
c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\faulkp\Application Data\alot\products\products.xml
c:\documents and settings\faulkp\Application Data\alot\products\products.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\alert-icon.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\mcloud.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.png
c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml
c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\faulkp\Application Data\alot\toolbar.xml
c:\documents and settings\faulkp\Application Data\alot\toolbar.xml.backup
c:\documents and settings\faulkp\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml
c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\millerm\Application Data\alot
c:\documents and settings\millerm\Local Settings\Temporary Internet Files\hardcopy.log
c:\documents and settings\millerm\Local Settings\Temporary Internet Files\plot.log
c:\documents and settings\millerm\Start Menu\Programs\Total Security
c:\documents and settings\millerm\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\documents and settings\noravitz\Application Data\alot
c:\windows\Installer5a8.msi
c:\windows\Installer2b3a1.msp
c:\windows\Installer2b3a7.msp
c:\windows\system32\_003209_.tmp.dll
c:\windows\system32\_003210_.tmp.dll
c:\windows\system32\_003211_.tmp.dll
c:\windows\system32\_003212_.tmp.dll
c:\windows\system32\_003219_.tmp.dll
c:\windows\system32\_003220_.tmp.dll
c:\windows\system32\_003221_.tmp.dll
c:\windows\system32\_003223_.tmp.dll
c:\windows\system32\_003224_.tmp.dll
c:\windows\system32\_003227_.tmp.dll
c:\windows\system32\_003228_.tmp.dll
c:\windows\system32\_003231_.tmp.dll
c:\windows\system32\_003232_.tmp.dll
c:\windows\system32\_003234_.tmp.dll
c:\windows\system32\_003237_.tmp.dll
c:\windows\system32\_003238_.tmp.dll
c:\windows\system32\_003243_.tmp.dll
c:\windows\system32\_003245_.tmp.dll
c:\windows\system32\_003248_.tmp.dll
c:\windows\system32\_003250_.tmp.dll
c:\windows\system32\_003251_.tmp.dll
c:\windows\system32\_003252_.tmp.dll
c:\windows\system32\_003253_.tmp.dll
c:\windows\system32\_003256_.tmp.dll
c:\windows\system32\_003257_.tmp.dll
c:\windows\system32\_003258_.tmp.dll
c:\windows\system32\_003259_.tmp.dll
c:\windows\system32\_003260_.tmp.dll
c:\windows\system32\_003265_.tmp.dll
c:\windows\system32\_003267_.tmp.dll
c:\windows\system32\bikuhagu.dll
c:\windows\system32\diwunawo.dll
c:\windows\system32\dumenebi.dll
c:\windows\system32\fugudipi.dll
c:\windows\system32\gurutipa.exe
c:\windows\system32\jaduzumi.dll
c:\windows\system32\jisiponu.dll
c:\windows\system32\jugopive.dll
c:\windows\system32\lahesumo.dll
c:\windows\system32\lozetasa.exe
c:\windows\system32\mipasowu.dll
c:\windows\system32\nigobani.dll
c:\windows\system32\nubayiri.dll
c:\windows\system32\pavebade.exe
c:\windows\system32\sarefojo.exe
c:\windows\system32\sibidapi.dll
c:\windows\system32\tahemehu.dll
c:\windows\system32\tijojepe.exe
c:\windows\system32\tizabedi.dll
c:\windows\system32\visujowo.dll
c:\windows\system32\vizaleso.dll
c:\windows\system32\wazonaya.dll
c:\windows\system32\werohage.dll
c:\windows\system32\yavipomu.dll
c:\windows\system32\zurasujo.dll
Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntvdm.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.
2009-09-29 12:58 . 2009-09-29 13:00 -------- d-----w- C:\Combo-Fix
2009-09-29 12:50 . 2009-09-29 12:50 -------- d-----w- c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Research In Motion
2009-09-29 12:49 . 2009-09-29 12:49 -------- d-sh--w- c:\documents and settings\Administrator.ALARON-NUCLEAR\IETldCache
2009-09-21 13:03 . 2009-09-21 13:03 -------- d--h--w- c:\windows\PIF
2009-09-21 12:34 . 2009-09-21 12:34 -------- d-----w- c:\documents and settings\millerm\Application Data\Malwarebytes
2009-09-18 14:36 . 2009-09-21 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data920314
2009-09-16 11:53 . 2009-09-16 11:53 -------- d-----w- c:\documents and settings\millerm\Application Data\Juniper Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 13:28 . 2009-06-24 14:28 256 ----a-w- c:\windows\system32\pool.bin
2009-09-29 13:14 . 2009-06-08 16:55 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-29 12:37 . 2009-06-29 12:37 91136 ----a-w- c:\windows\system32\pomijowu.dll.vir
2009-09-29 12:36 . 2009-06-29 12:36 87552 ----a-w- c:\windows\system32\dataheme.dll.vir
2009-09-28 02:22 . 2009-06-28 02:22 87552 ----a-w- c:\windows\system32\fowibiya.dll.vir
2009-09-27 14:22 . 2009-06-27 14:22 88064 --sha-w- c:\windows\system32\hifibugo.dll
2009-09-27 02:22 . 2009-06-27 02:22 88064 --sha-w- c:\windows\system32\fodadowa.dll
2009-09-26 14:22 . 2009-06-26 14:22 87552 --sha-w- c:\windows\system32\zowiyari.dll
2009-09-26 02:22 . 2009-06-26 02:22 49664 --sha-w- c:\windows\system32\bojapume.dll
2009-09-23 14:21 . 2009-06-23 14:21 88576 ----a-w- c:\windows\system32\bunofalo.dll.vir
2009-09-23 02:20 . 2009-06-23 02:20 87552 --sha-w- c:\windows\system32\reporelo.dll
2009-09-22 14:20 . 2009-06-22 14:20 88064 --sha-w- c:\windows\system32\niwazuba.dll
2009-09-22 02:22 . 2009-06-22 02:22 88064 --sha-w- c:\windows\system32\dusuvivu.dll
2009-09-21 14:20 . 2009-06-21 14:20 88576 --sha-w- c:\windows\system32\sesotoja.dll
2009-09-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\peluloge.dll
2009-09-21 14:13 . 2009-06-21 14:13 88576 --sha-w- c:\windows\system32\gijiyeli.dll
2009-09-21 13:48 . 2009-08-24 13:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-24 16:49 . 2009-08-24 16:49 -------- d-----w- c:\program files\CPUID
2009-08-24 16:47 . 2009-08-24 16:47 -------- d-----w- c:\documents and settings\collins\Application Data\Xerox
2009-08-24 13:22 . 2009-08-24 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:06 . 2009-08-24 13:06 -------- d-----w- c:\documents and settings\collins\Application Data\Malwarebytes
2009-08-24 12:57 . 2009-08-24 12:57 -------- d-----w- c:\documents and settings\collins\Application Data\Research In Motion
2009-08-24 12:57 . 2008-06-12 20:05 115128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 12:56 . 2008-11-11 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-24 12:51 . 2008-06-23 17:07 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-24 12:43 . 2008-06-12 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 13:14 . 2008-10-20 17:46 115128 ----a-w- c:\documents and settings\millerm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 12:58 . 2009-06-24 14:08 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-12 12:57 . 2009-08-12 12:56 -------- d-----w- c:\program files\Roxio
2009-08-12 12:56 . 2009-06-24 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-12 12:56 . 2009-08-12 12:56 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-12 12:51 . 2009-08-12 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-08-12 12:51 . 2009-06-24 14:03 -------- d-----w- c:\program files\Research In Motion
2009-08-12 12:49 . 2009-06-24 14:03 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-08-06 05:28 . 2008-06-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-05 09:01 . 2004-08-11 21:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-11 21:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-11 21:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-11 21:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 13:13 . 2009-07-10 13:13 94208 ----a-w- c:\windows\system32\msstkprp.dll
2009-07-10 13:13 . 2009-07-10 13:13 43160 ----a-w- c:\windows\system32\AcSignIcon.dll
2009-07-10 13:13 . 2009-07-10 13:13 429720 ----a-w- c:\windows\system32\AcSignOpt.exe
2009-07-10 13:13 . 2009-07-10 13:13 29848 ----a-w- c:\windows\system32\AcSignExt.dll
2009-07-10 13:13 . 2009-07-10 13:13 14488 ----a-w- c:\windows\system32\AcSignExtRes.dll
2009-07-03 17:09 . 2004-08-11 21:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\kofirawa.dll.tmp
2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\koyagahu.dll.tmp
2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\likepuzu.dll.tmp
2009-06-26 14:22 . 2009-06-26 14:22 521216 --sha-w- c:\windows\system32\lizimobu.exe
2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\tiyeyoma.dll.tmp
2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\velajoya.dll.tmp
2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\wiseyiwi.dll.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-12 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
c:\documents and settings\millerm\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"c:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"=
"c:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/23/2008 12:25 PM 6016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/15/2009 8:10 AM 102448]
S0 tvay;tvay;c:\windows\system32\drivers\hxjrgpgw.sys --> c:\windows\system32\drivers\hxjrgpgw.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080612
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
TCP: {950A1CFE-8577-4FDF-92C3-7CA4FE2D19B2} = 77.74.48.113
TCP: {DE1DCEA5-F2D3-48E5-AA35-E29468364622} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Mozilla\Firefox\Profiles\wl6kdhla.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-negunasok - c:\windows\system32\dataheme.dll
SharedTaskScheduler-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
SSODL-lakehiviw-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 09:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\windows\system32\hccutils.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-09-29 9:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 13:43
Pre-Run: 130,088,759,296 bytes free
Post-Run: 131,111,776,256 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
386 --- E O F --- 2009-06-29 15:02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2360 [GMT -4:00]
Running from: i:\userhomes\bowkerm\Utilities\Spyware\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\alot
c:\documents and settings\All Users\Microsoft Private Data
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
c:\documents and settings\collins\Application Data\alot
c:\documents and settings\faulkp\Application Data\alot
c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml
c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\faulkp\Application Data\alot\products\products.xml
c:\documents and settings\faulkp\Application Data\alot\products\products.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\alert-icon.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\mcloud.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.png
c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml
c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\faulkp\Application Data\alot\toolbar.xml
c:\documents and settings\faulkp\Application Data\alot\toolbar.xml.backup
c:\documents and settings\faulkp\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml
c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\millerm\Application Data\alot
c:\documents and settings\millerm\Local Settings\Temporary Internet Files\hardcopy.log
c:\documents and settings\millerm\Local Settings\Temporary Internet Files\plot.log
c:\documents and settings\millerm\Start Menu\Programs\Total Security
c:\documents and settings\millerm\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\documents and settings\noravitz\Application Data\alot
c:\windows\Installer5a8.msi
c:\windows\Installer2b3a1.msp
c:\windows\Installer2b3a7.msp
c:\windows\system32\_003209_.tmp.dll
c:\windows\system32\_003210_.tmp.dll
c:\windows\system32\_003211_.tmp.dll
c:\windows\system32\_003212_.tmp.dll
c:\windows\system32\_003219_.tmp.dll
c:\windows\system32\_003220_.tmp.dll
c:\windows\system32\_003221_.tmp.dll
c:\windows\system32\_003223_.tmp.dll
c:\windows\system32\_003224_.tmp.dll
c:\windows\system32\_003227_.tmp.dll
c:\windows\system32\_003228_.tmp.dll
c:\windows\system32\_003231_.tmp.dll
c:\windows\system32\_003232_.tmp.dll
c:\windows\system32\_003234_.tmp.dll
c:\windows\system32\_003237_.tmp.dll
c:\windows\system32\_003238_.tmp.dll
c:\windows\system32\_003243_.tmp.dll
c:\windows\system32\_003245_.tmp.dll
c:\windows\system32\_003248_.tmp.dll
c:\windows\system32\_003250_.tmp.dll
c:\windows\system32\_003251_.tmp.dll
c:\windows\system32\_003252_.tmp.dll
c:\windows\system32\_003253_.tmp.dll
c:\windows\system32\_003256_.tmp.dll
c:\windows\system32\_003257_.tmp.dll
c:\windows\system32\_003258_.tmp.dll
c:\windows\system32\_003259_.tmp.dll
c:\windows\system32\_003260_.tmp.dll
c:\windows\system32\_003265_.tmp.dll
c:\windows\system32\_003267_.tmp.dll
c:\windows\system32\bikuhagu.dll
c:\windows\system32\diwunawo.dll
c:\windows\system32\dumenebi.dll
c:\windows\system32\fugudipi.dll
c:\windows\system32\gurutipa.exe
c:\windows\system32\jaduzumi.dll
c:\windows\system32\jisiponu.dll
c:\windows\system32\jugopive.dll
c:\windows\system32\lahesumo.dll
c:\windows\system32\lozetasa.exe
c:\windows\system32\mipasowu.dll
c:\windows\system32\nigobani.dll
c:\windows\system32\nubayiri.dll
c:\windows\system32\pavebade.exe
c:\windows\system32\sarefojo.exe
c:\windows\system32\sibidapi.dll
c:\windows\system32\tahemehu.dll
c:\windows\system32\tijojepe.exe
c:\windows\system32\tizabedi.dll
c:\windows\system32\visujowo.dll
c:\windows\system32\vizaleso.dll
c:\windows\system32\wazonaya.dll
c:\windows\system32\werohage.dll
c:\windows\system32\yavipomu.dll
c:\windows\system32\zurasujo.dll
Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntvdm.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.
2009-09-29 12:58 . 2009-09-29 13:00 -------- d-----w- C:\Combo-Fix
2009-09-29 12:50 . 2009-09-29 12:50 -------- d-----w- c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Research In Motion
2009-09-29 12:49 . 2009-09-29 12:49 -------- d-sh--w- c:\documents and settings\Administrator.ALARON-NUCLEAR\IETldCache
2009-09-21 13:03 . 2009-09-21 13:03 -------- d--h--w- c:\windows\PIF
2009-09-21 12:34 . 2009-09-21 12:34 -------- d-----w- c:\documents and settings\millerm\Application Data\Malwarebytes
2009-09-18 14:36 . 2009-09-21 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data920314
2009-09-16 11:53 . 2009-09-16 11:53 -------- d-----w- c:\documents and settings\millerm\Application Data\Juniper Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 13:28 . 2009-06-24 14:28 256 ----a-w- c:\windows\system32\pool.bin
2009-09-29 13:14 . 2009-06-08 16:55 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-29 12:37 . 2009-06-29 12:37 91136 ----a-w- c:\windows\system32\pomijowu.dll.vir
2009-09-29 12:36 . 2009-06-29 12:36 87552 ----a-w- c:\windows\system32\dataheme.dll.vir
2009-09-28 02:22 . 2009-06-28 02:22 87552 ----a-w- c:\windows\system32\fowibiya.dll.vir
2009-09-27 14:22 . 2009-06-27 14:22 88064 --sha-w- c:\windows\system32\hifibugo.dll
2009-09-27 02:22 . 2009-06-27 02:22 88064 --sha-w- c:\windows\system32\fodadowa.dll
2009-09-26 14:22 . 2009-06-26 14:22 87552 --sha-w- c:\windows\system32\zowiyari.dll
2009-09-26 02:22 . 2009-06-26 02:22 49664 --sha-w- c:\windows\system32\bojapume.dll
2009-09-23 14:21 . 2009-06-23 14:21 88576 ----a-w- c:\windows\system32\bunofalo.dll.vir
2009-09-23 02:20 . 2009-06-23 02:20 87552 --sha-w- c:\windows\system32\reporelo.dll
2009-09-22 14:20 . 2009-06-22 14:20 88064 --sha-w- c:\windows\system32\niwazuba.dll
2009-09-22 02:22 . 2009-06-22 02:22 88064 --sha-w- c:\windows\system32\dusuvivu.dll
2009-09-21 14:20 . 2009-06-21 14:20 88576 --sha-w- c:\windows\system32\sesotoja.dll
2009-09-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\peluloge.dll
2009-09-21 14:13 . 2009-06-21 14:13 88576 --sha-w- c:\windows\system32\gijiyeli.dll
2009-09-21 13:48 . 2009-08-24 13:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-24 16:49 . 2009-08-24 16:49 -------- d-----w- c:\program files\CPUID
2009-08-24 16:47 . 2009-08-24 16:47 -------- d-----w- c:\documents and settings\collins\Application Data\Xerox
2009-08-24 13:22 . 2009-08-24 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:06 . 2009-08-24 13:06 -------- d-----w- c:\documents and settings\collins\Application Data\Malwarebytes
2009-08-24 12:57 . 2009-08-24 12:57 -------- d-----w- c:\documents and settings\collins\Application Data\Research In Motion
2009-08-24 12:57 . 2008-06-12 20:05 115128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 12:56 . 2008-11-11 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-24 12:51 . 2008-06-23 17:07 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-24 12:43 . 2008-06-12 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 13:14 . 2008-10-20 17:46 115128 ----a-w- c:\documents and settings\millerm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 12:58 . 2009-06-24 14:08 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-12 12:57 . 2009-08-12 12:56 -------- d-----w- c:\program files\Roxio
2009-08-12 12:56 . 2009-06-24 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-12 12:56 . 2009-08-12 12:56 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-12 12:51 . 2009-08-12 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-08-12 12:51 . 2009-06-24 14:03 -------- d-----w- c:\program files\Research In Motion
2009-08-12 12:49 . 2009-06-24 14:03 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-08-06 05:28 . 2008-06-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-05 09:01 . 2004-08-11 21:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-11 21:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-11 21:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-11 21:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 13:13 . 2009-07-10 13:13 94208 ----a-w- c:\windows\system32\msstkprp.dll
2009-07-10 13:13 . 2009-07-10 13:13 43160 ----a-w- c:\windows\system32\AcSignIcon.dll
2009-07-10 13:13 . 2009-07-10 13:13 429720 ----a-w- c:\windows\system32\AcSignOpt.exe
2009-07-10 13:13 . 2009-07-10 13:13 29848 ----a-w- c:\windows\system32\AcSignExt.dll
2009-07-10 13:13 . 2009-07-10 13:13 14488 ----a-w- c:\windows\system32\AcSignExtRes.dll
2009-07-03 17:09 . 2004-08-11 21:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\kofirawa.dll.tmp
2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\koyagahu.dll.tmp
2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\likepuzu.dll.tmp
2009-06-26 14:22 . 2009-06-26 14:22 521216 --sha-w- c:\windows\system32\lizimobu.exe
2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\tiyeyoma.dll.tmp
2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\velajoya.dll.tmp
2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\wiseyiwi.dll.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-12 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
c:\documents and settings\millerm\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"c:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"=
"c:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/23/2008 12:25 PM 6016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/15/2009 8:10 AM 102448]
S0 tvay;tvay;c:\windows\system32\drivers\hxjrgpgw.sys --> c:\windows\system32\drivers\hxjrgpgw.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080612
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
TCP: {950A1CFE-8577-4FDF-92C3-7CA4FE2D19B2} = 77.74.48.113
TCP: {DE1DCEA5-F2D3-48E5-AA35-E29468364622} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Mozilla\Firefox\Profiles\wl6kdhla.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-negunasok - c:\windows\system32\dataheme.dll
SharedTaskScheduler-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
SSODL-lakehiviw-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 09:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\windows\system32\hccutils.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-09-29 9:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 13:43
Pre-Run: 130,088,759,296 bytes free
Post-Run: 131,111,776,256 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
386 --- E O F --- 2009-06-29 15:02
- ComboFix 09-09-28.01 - Administrator 09/29/2009 9:05.1.2 - NTFSx86
- Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2360 [GMT -4:00]
- Running from: i:\userhomes\bowkerm\Utilities\Spyware\Combo-Fix.exe
- AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
- * Created a new restore point
- .
- ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
- .
- c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\alot
- c:\documents and settings\All Users\Microsoft Private Data
- c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
- c:\documents and settings\collins\Application Data\alot
- c:\documents and settings\faulkp\Application Data\alot
- c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml
- c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml
- c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml
- c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml
- c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml
- c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml
- c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\products\products.xml
- c:\documents and settings\faulkp\Application Data\alot\products\products.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\alert-icon.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\mcloud.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\domains.dat
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_brand.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_splitter.png
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\spinner.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_caption.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
- c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
- c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml
- c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml
- c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\toolbar.xml
- c:\documents and settings\faulkp\Application Data\alot\toolbar.xml.backup
- c:\documents and settings\faulkp\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
- c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml
- c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml.backup
- c:\documents and settings\millerm\Application Data\alot
- c:\documents and settings\millerm\Local Settings\Temporary Internet Files\hardcopy.log
- c:\documents and settings\millerm\Local Settings\Temporary Internet Files\plot.log
- c:\documents and settings\millerm\Start Menu\Programs\Total Security
- c:\documents and settings\millerm\Start Menu\Programs\Total Security\Total Security 2009.lnk
- c:\documents and settings\noravitz\Application Data\alot
- c:\windows\Installer5a8.msi
- c:\windows\Installer2b3a1.msp
- c:\windows\Installer2b3a7.msp
- c:\windows\system32\_003209_.tmp.dll
- c:\windows\system32\_003210_.tmp.dll
- c:\windows\system32\_003211_.tmp.dll
- c:\windows\system32\_003212_.tmp.dll
- c:\windows\system32\_003219_.tmp.dll
- c:\windows\system32\_003220_.tmp.dll
- c:\windows\system32\_003221_.tmp.dll
- c:\windows\system32\_003223_.tmp.dll
- c:\windows\system32\_003224_.tmp.dll
- c:\windows\system32\_003227_.tmp.dll
- c:\windows\system32\_003228_.tmp.dll
- c:\windows\system32\_003231_.tmp.dll
- c:\windows\system32\_003232_.tmp.dll
- c:\windows\system32\_003234_.tmp.dll
- c:\windows\system32\_003237_.tmp.dll
- c:\windows\system32\_003238_.tmp.dll
- c:\windows\system32\_003243_.tmp.dll
- c:\windows\system32\_003245_.tmp.dll
- c:\windows\system32\_003248_.tmp.dll
- c:\windows\system32\_003250_.tmp.dll
- c:\windows\system32\_003251_.tmp.dll
- c:\windows\system32\_003252_.tmp.dll
- c:\windows\system32\_003253_.tmp.dll
- c:\windows\system32\_003256_.tmp.dll
- c:\windows\system32\_003257_.tmp.dll
- c:\windows\system32\_003258_.tmp.dll
- c:\windows\system32\_003259_.tmp.dll
- c:\windows\system32\_003260_.tmp.dll
- c:\windows\system32\_003265_.tmp.dll
- c:\windows\system32\_003267_.tmp.dll
- c:\windows\system32\bikuhagu.dll
- c:\windows\system32\diwunawo.dll
- c:\windows\system32\dumenebi.dll
- c:\windows\system32\fugudipi.dll
- c:\windows\system32\gurutipa.exe
- c:\windows\system32\jaduzumi.dll
- c:\windows\system32\jisiponu.dll
- c:\windows\system32\jugopive.dll
- c:\windows\system32\lahesumo.dll
- c:\windows\system32\lozetasa.exe
- c:\windows\system32\mipasowu.dll
- c:\windows\system32\nigobani.dll
- c:\windows\system32\nubayiri.dll
- c:\windows\system32\pavebade.exe
- c:\windows\system32\sarefojo.exe
- c:\windows\system32\sibidapi.dll
- c:\windows\system32\tahemehu.dll
- c:\windows\system32\tijojepe.exe
- c:\windows\system32\tizabedi.dll
- c:\windows\system32\visujowo.dll
- c:\windows\system32\vizaleso.dll
- c:\windows\system32\wazonaya.dll
- c:\windows\system32\werohage.dll
- c:\windows\system32\yavipomu.dll
- c:\windows\system32\zurasujo.dll
- Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
- Restored copy from - c:\windows\system32\dllcache\ntvdm.exe
- .
- ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
- .
- 2009-09-29 12:58 . 2009-09-29 13:00 -------- d-----w- C:\Combo-Fix
- 2009-09-29 12:50 . 2009-09-29 12:50 -------- d-----w- c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Research In Motion
- 2009-09-29 12:49 . 2009-09-29 12:49 -------- d-sh--w- c:\documents and settings\Administrator.ALARON-NUCLEAR\IETldCache
- 2009-09-21 13:03 . 2009-09-21 13:03 -------- d--h--w- c:\windows\PIF
- 2009-09-21 12:34 . 2009-09-21 12:34 -------- d-----w- c:\documents and settings\millerm\Application Data\Malwarebytes
- 2009-09-18 14:36 . 2009-09-21 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data920314
- 2009-09-16 11:53 . 2009-09-16 11:53 -------- d-----w- c:\documents and settings\millerm\Application Data\Juniper Networks
- .
- (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- 2009-09-29 13:28 . 2009-06-24 14:28 256 ----a-w- c:\windows\system32\pool.bin
- 2009-09-29 13:14 . 2009-06-08 16:55 -------- d-----w- c:\program files\Symantec AntiVirus
- 2009-09-29 12:37 . 2009-06-29 12:37 91136 ----a-w- c:\windows\system32\pomijowu.dll.vir
- 2009-09-29 12:36 . 2009-06-29 12:36 87552 ----a-w- c:\windows\system32\dataheme.dll.vir
- 2009-09-28 02:22 . 2009-06-28 02:22 87552 ----a-w- c:\windows\system32\fowibiya.dll.vir
- 2009-09-27 14:22 . 2009-06-27 14:22 88064 --sha-w- c:\windows\system32\hifibugo.dll
- 2009-09-27 02:22 . 2009-06-27 02:22 88064 --sha-w- c:\windows\system32\fodadowa.dll
- 2009-09-26 14:22 . 2009-06-26 14:22 87552 --sha-w- c:\windows\system32\zowiyari.dll
- 2009-09-26 02:22 . 2009-06-26 02:22 49664 --sha-w- c:\windows\system32\bojapume.dll
- 2009-09-23 14:21 . 2009-06-23 14:21 88576 ----a-w- c:\windows\system32\bunofalo.dll.vir
- 2009-09-23 02:20 . 2009-06-23 02:20 87552 --sha-w- c:\windows\system32\reporelo.dll
- 2009-09-22 14:20 . 2009-06-22 14:20 88064 --sha-w- c:\windows\system32\niwazuba.dll
- 2009-09-22 02:22 . 2009-06-22 02:22 88064 --sha-w- c:\windows\system32\dusuvivu.dll
- 2009-09-21 14:20 . 2009-06-21 14:20 88576 --sha-w- c:\windows\system32\sesotoja.dll
- 2009-09-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\peluloge.dll
- 2009-09-21 14:13 . 2009-06-21 14:13 88576 --sha-w- c:\windows\system32\gijiyeli.dll
- 2009-09-21 13:48 . 2009-08-24 13:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
- 2009-08-24 16:49 . 2009-08-24 16:49 -------- d-----w- c:\program files\CPUID
- 2009-08-24 16:47 . 2009-08-24 16:47 -------- d-----w- c:\documents and settings\collins\Application Data\Xerox
- 2009-08-24 13:22 . 2009-08-24 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
- 2009-08-24 13:06 . 2009-08-24 13:06 -------- d-----w- c:\documents and settings\collins\Application Data\Malwarebytes
- 2009-08-24 12:57 . 2009-08-24 12:57 -------- d-----w- c:\documents and settings\collins\Application Data\Research In Motion
- 2009-08-24 12:57 . 2008-06-12 20:05 115128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
- 2009-08-24 12:56 . 2008-11-11 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
- 2009-08-24 12:51 . 2008-06-23 17:07 -------- d-----w- c:\program files\Microsoft Silverlight
- 2009-08-24 12:43 . 2008-06-12 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
- 2009-08-12 13:14 . 2008-10-20 17:46 115128 ----a-w- c:\documents and settings\millerm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
- 2009-08-12 12:58 . 2009-06-24 14:08 -------- d-----w- c:\program files\Common Files\Roxio Shared
- 2009-08-12 12:57 . 2009-08-12 12:56 -------- d-----w- c:\program files\Roxio
- 2009-08-12 12:56 . 2009-06-24 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
- 2009-08-12 12:56 . 2009-08-12 12:56 -------- d-----w- c:\program files\Common Files\Sonic Shared
- 2009-08-12 12:51 . 2009-08-12 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
- 2009-08-12 12:51 . 2009-06-24 14:03 -------- d-----w- c:\program files\Research In Motion
- 2009-08-12 12:49 . 2009-06-24 14:03 -------- d-----w- c:\program files\Common Files\Research In Motion
- 2009-08-06 05:28 . 2008-06-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
- 2009-08-05 09:01 . 2004-08-11 21:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
- 2009-07-29 04:37 . 2004-08-11 21:00 119808 ----a-w- c:\windows\system32\t2embed.dll
- 2009-07-29 04:37 . 2004-08-11 21:00 81920 ----a-w- c:\windows\system32\fontsub.dll
- 2009-07-17 19:01 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\atl.dll
- 2009-07-14 03:43 . 2004-08-11 21:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
- 2009-07-10 13:13 . 2009-07-10 13:13 94208 ----a-w- c:\windows\system32\msstkprp.dll
- 2009-07-10 13:13 . 2009-07-10 13:13 43160 ----a-w- c:\windows\system32\AcSignIcon.dll
- 2009-07-10 13:13 . 2009-07-10 13:13 429720 ----a-w- c:\windows\system32\AcSignOpt.exe
- 2009-07-10 13:13 . 2009-07-10 13:13 29848 ----a-w- c:\windows\system32\AcSignExt.dll
- 2009-07-10 13:13 . 2009-07-10 13:13 14488 ----a-w- c:\windows\system32\AcSignExtRes.dll
- 2009-07-03 17:09 . 2004-08-11 21:00 915456 ----a-w- c:\windows\system32\wininet.dll
- 2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\kofirawa.dll.tmp
- 2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\koyagahu.dll.tmp
- 2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\likepuzu.dll.tmp
- 2009-06-26 14:22 . 2009-06-26 14:22 521216 --sha-w- c:\windows\system32\lizimobu.exe
- 2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\tiyeyoma.dll.tmp
- 2009-06-26 02:23 . 2009-06-26 02:23 49664 --sha-w- c:\windows\system32\velajoya.dll.tmp
- 2009-06-21 14:13 . 2009-06-21 14:13 49152 --sha-w- c:\windows\system32\wiseyiwi.dll.tmp
- .
- ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- .
- *Note* empty entries & legit default entries are not shown
- REGEDIT4
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
- "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
- "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
- "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
- "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
- "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
- "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
- "Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
- "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-12 29744]
- "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
- "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
- "WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
- "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
- "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
- "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
- "Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
- "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
- "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
- "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
- "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
- "RoxWatchTray"="c:\program files\Common Files\Roxio Shared.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
- c:\documents and settings\millerm\Start Menu\Programs\Startup\
- Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
- c:\documents and settings\All Users\Start Menu\Programs\Startup\
- Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
- "disablecad"= 1 (0x1)
- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
- "NoWelcomeScreen"= 1 (0x1)
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
- "Bonjour Service"=2 (0x2)
- [HKEY_LOCAL_MACHINE\software\microsoft\security center]
- "UpdatesDisableNotify"=dword:00000001
- [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
- "DisableMonitoring"=dword:00000001
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
- "%windir%\system32\sessmgr.exe"=
- "c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
- "c:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"=
- "c:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"=
- "%windir%\Network Diagnostic\xpnetdiag.exe"=
- R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]
- R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
- R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/23/2008 12:25 PM 6016]
- R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/15/2009 8:10 AM 102448]
- S0 tvay;tvay;c:\windows\system32\drivers\hxjrgpgw.sys --> c:\windows\system32\drivers\hxjrgpgw.sys [?]
- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
- HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
- hpdevmgmt REG_MULTI_SZ hpqcxs08
- [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
- "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
- .
- Contents of the 'Scheduled Tasks' folder
- 2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
- .
- .
- ------- Supplementary Scan -------
- .
- uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080612
- uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
- IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
- IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
- IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
- IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
- IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
- IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
- IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
- IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
- TCP: {950A1CFE-8577-4FDF-92C3-7CA4FE2D19B2} = 77.74.48.113
- TCP: {DE1DCEA5-F2D3-48E5-AA35-E29468364622} = 77.74.48.113
- FF - ProfilePath - c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Mozilla\Firefox\Profiles\wl6kdhla.default\
- FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
- FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
- .
- - - - - ORPHANS REMOVED - - - -
- HKLM-Run-negunasok - c:\windows\system32\dataheme.dll
- SharedTaskScheduler-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
- SSODL-lakehiviw-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
- **************************************************************************
- catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
- Rootkit scan 2009-09-29 09:27
- Windows 5.1.2600 Service Pack 3 NTFS
- scanning hidden processes ...
- scanning hidden autostart entries ...
- scanning hidden files ...
- scan completed successfully
- hidden files: 0
- **************************************************************************
- .
- --------------------- LOCKED REGISTRY KEYS ---------------------
- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
- @Denied: (A 2) (Everyone)
- @="FlashBroker"
- "LocalizedString"="@c:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe,-101"
- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
- "Enabled"=dword:00000001
- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
- @="c:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe"
- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
- @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
- @Denied: (A 2) (Everyone)
- @="IFlashBroker3"
- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
- @="{00020424-0000-0000-C000-000000000046}"
- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
- @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
- "Version"="1.0"
- .
- --------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - - > 'explorer.exe'(3548)
- c:\windows\system32\WININET.dll
- c:\windows\system32\ieframe.dll
- c:\windows\system32\webcheck.dll
- c:\windows\system32\WPDShServiceObj.dll
- c:\windows\system32\PortableDeviceTypes.dll
- c:\windows\system32\PortableDeviceApi.dll
- c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
- c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
- c:\program files\Spybot - Search & Destroy\SDHelper.dll
- c:\windows\system32\hccutils.DLL
- c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
- .
- ------------------------ Other Running Processes ------------------------
- .
- c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
- c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
- c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
- c:\program files\Symantec AntiVirus\DefWatch.exe
- c:\program files\Juniper Networks\Common Files\dsNcService.exe
- c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
- c:\program files\Java\jre6\bin\jqs.exe
- c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
- c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
- c:\program files\Symantec AntiVirus\Rtvscan.exe
- c:\windows\system32\igfxsrvc.exe
- c:\program files\iPod\bin\iPodService.exe
- c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
- c:\program files\Java\jre6\bin\jucheck.exe
- .
- **************************************************************************
- .
- Completion time: 2009-09-29 9:52 - machine was rebooted
- ComboFix-quarantined-files.txt 2009-09-29 13:43
- Pre-Run: 130,088,759,296 bytes free
- Post-Run: 131,111,776,256 bytes free
- WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
- [boot loader]
- timeout=2
- default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
- [operating systems]
- c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
- multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- 386 --- E O F --- 2009-06-29 15:02
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
- Don2007
- Web Master
- Registrado: Nov 21, 2006
- Mensajes: 4924
- Loc: NY
- Status: Offline
Septiembre 29th, 2009, 1:15 pm
Tendré que intentar fijar combo algún tiempo. Gracias por la info.
How do you know when a politician is lying? His mouth is moving.
- ATNO/TW
- Super Moderator
- Registrado: May 28, 2003
- Mensajes: 23403
- Loc: Woodbridge VA
- Status: Offline
Septiembre 29th, 2009, 2:01 pm
Una cosa clave que me gusta de ella es el beneficio añadido de la búsqueda de rootkits. Ive encontrados y eliminados 4 ya desde el descubrimiento de Combofix y hasta la fecha no había encontrado ningún otro software que sí a excepción de Microsofts herramienta Malicious Software Removal.
Más cuando se ejecuta, se instala la consola de recuperación, si no lo tiene instalado y lo hace disponible en el arranque. No hay necesidad de más para el CD del sistema operativo para llegar a la consola de recuperación.
Más cuando se ejecuta, se instala la consola de recuperación, si no lo tiene instalado y lo hace disponible en el arranque. No hay necesidad de más para el CD del sistema operativo para llegar a la consola de recuperación.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
- Don2007
- Web Master
- Registrado: Nov 21, 2006
- Mensajes: 4924
- Loc: NY
- Status: Offline
Septiembre 29th, 2009, 5:34 pm
¿Tiene combo fijar grabarse en un CD?
How do you know when a politician is lying? His mouth is moving.
- ATNO/TW
- Super Moderator
- Registrado: May 28, 2003
- Mensajes: 23403
- Loc: Woodbridge VA
- Status: Offline
Septiembre 29th, 2009, 6:11 pm
Tanto que y una unidad de red. En realidad tengo un conjunto de eliminación de malware actual proggies grabar en un CD y en la unidad asignada. También tengo FF y Chrome, así como en caso de que necesite instalar un navegador alternativo.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
- Don2007
- Web Master
- Registrado: Nov 21, 2006
- Mensajes: 4924
- Loc: NY
- Status: Offline
Septiembre 30th, 2009, 6:21 am
Entonces, ¿qué hacer para actualizaciones de programas anti malware, cuando necesita una actualización? Por ejemplo anti malware de malwarebytes necesita ser actualizado antes de cada uso. Vista en un CD cuando se está tratando de limpiar una máquina que no puede conectarse a la red, hace que sea inútil.
Actualizaciones de corrección de Doesnt combinado necesita?
Actualizaciones de corrección de Doesnt combinado necesita?
How do you know when a politician is lying? His mouth is moving.
- ATNO/TW
- Super Moderator
- Registrado: May 28, 2003
- Mensajes: 23403
- Loc: Woodbridge VA
- Status: Offline
Septiembre 30th, 2009, 7:33 am
Sí fijar combinado necesita actualizaciones. Cuando una nueva versión del software están disponibles puedo actualizar la versión en la red de una carpeta y grabar un nuevo CD y tirar la antigua.
La mayoría de estos programas se instala bien en modo seguro. Hago un montón de trabajo en equipos como el problema de que en modo seguro con funciones de red. Permite que las actualizaciones, pero en modo seguro, como ustedes saben la mayoría de los programas maliciosos no suele ser activa. * Nota * El habitualmente palabra.
Su bastante eficaz. Alternativamente, usted puede ponerlos en una unidad flash frente a un CD si no te gusta perder el CD.
La mayoría de estos programas se instala bien en modo seguro. Hago un montón de trabajo en equipos como el problema de que en modo seguro con funciones de red. Permite que las actualizaciones, pero en modo seguro, como ustedes saben la mayoría de los programas maliciosos no suele ser activa. * Nota * El habitualmente palabra.
Su bastante eficaz. Alternativamente, usted puede ponerlos en una unidad flash frente a un CD si no te gusta perder el CD.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
Página 1 de 1
Para responder a este tema que necesita para ingresar o registrarse. Es gratis.
Publicar Información
- Total de mensajes en este tema: 11 mensajes
- Usuarios navegando por este Foro: No hay usuarios registrados visitando el Foro y 118 invitados
- No puede abrir nuevos temas en este Foro
- No puede responder a temas en este Foro
- No puede editar sus mensajes en este Foro
- No puede borrar sus mensajes en este Foro
- No puede enviar adjuntos en este Foro
