BleepingComputer.com: Open Cloud Antivirus and redirects

I have been infected by the Open Cloud Antivirus virus, and whenever I try to run Malwarebytes, SAS, or Gmer, it would run for a few seconds then the program will shut down immediately. I was referred to post here by boopme. http://www.bleepingcomputer.com/forums/topic421484.html

 attach.txt (19.78K)
Number of downloads: 2
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Run by Administrator at 23:43:47 on 2011-10-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1725 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Accessories\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\3009287083:1424793932.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
.
============== Pseudo HJT Report ===============
.
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [avast5] c:\progra~1\avast5\avastUI.exe /nogui
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoSMHelp = 01000000
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264357330796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262807130484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0B6CC68F-5297-4C8C-999E-43E59B2385B8} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C31867C3-DCA9-4552-A047-088817F43FF7} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\access~1\window~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\hu3p0pw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 WinDefend;Windows Defender;c:\program files\accessories\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-20 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-15 307928]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-15 19544]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast5\AvastSvc.exe [2010-6-15 42184]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-4-12 142336]
S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2011-9-12 1714176]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [2011-4-8 20504]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [2011-4-8 21528]
S3 SASENUM;SASENUM;c:\program files\accessories\superantispyware\SASENUM.SYS [2008-8-20 7408]
.
=============== File Associations ===============
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2011-10-02 03:20:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-01 23:36:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-01 22:16:35 -------- d-----w- c:\documents and settings\administrator\application data\N4pmG5sQJdKgZh
2011-10-01 22:16:35 -------- d-----w- c:\documents and settings\administrator\application data\GXwkUVrlOt
2011-10-01 17:11:12 -------- d-----w- c:\documents and settings\administrator\application data\ZG4aQH6dW7R9TqU
2011-10-01 17:11:12 -------- d-----w- c:\documents and settings\administrator\application data\ucS1ibD3p
2011-10-01 16:50:41 -------- d-----w- c:\documents and settings\administrator\application data\W1uvS2obF
2011-10-01 16:50:41 -------- d-----w- c:\documents and settings\administrator\application data\jTXqjYCekBzNx
2011-10-01 16:45:50 -------- d-----w- c:\documents and settings\administrator\application data\R1ivD3onGaHsKf
2011-10-01 16:45:50 -------- d-----w- c:\documents and settings\administrator\application data\JOBtzP0yc
2011-10-01 16:41:08 -------- d-----w- c:\documents and settings\administrator\application data\RnG4aQH6dKfLhX
2011-10-01 16:41:08 -------- d-----w- c:\documents and settings\administrator\application data\iwkUVrlOBx0c1b3
2011-10-01 16:37:43 -------- d-----w- c:\documents and settings\administrator\application data\HQH6dWK7fLhXjCl
2011-10-01 16:37:43 -------- d-----w- c:\documents and settings\administrator\application data\dBrzPNycAuDoFpH
2011-10-01 16:34:24 -------- d-----w- c:\documents and settings\administrator\application data\SjjjUCeekIrzP
2011-10-01 16:34:23 -------- d-----w- c:\documents and settings\administrator\application data\iQQHH6sWW7fRLgX
2011-10-01 16:34:16 2390016 ----a-w- c:\windows\system32\AddEEL8gRZqh.exe
2011-10-01 16:34:16 -------- d-----w- c:\documents and settings\administrator\application data\uvDD22obF4pm5sJ
2011-09-21 01:17:37 106496 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2011-09-21 01:17:37 106496 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2011-09-13 21:48:02 -------- d-----w- c:\documents and settings\administrator\application data\Logishrd
2011-09-13 01:52:10 -------- d-----w- c:\documents and settings\administrator\riotsGamesLogs
2011-09-13 00:57:34 -------- d-----w- c:\documents and settings\administrator\application data\LolClient
2011-09-12 21:27:03 -------- d-----w- C:\League Of Legends
2011-09-12 21:25:59 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PMB Files
2011-09-12 21:25:51 -------- d-----w- c:\documents and settings\all users\application data\PMB Files
2011-09-12 21:25:30 -------- d-----w- c:\program files\Pando Networks
2011-09-12 18:11:56 1714176 ----a-r- c:\windows\system32\drivers\athuw.sys
2011-09-12 18:11:44 1714176 ----a-r- c:\windows\system32\athuw.sys
2011-09-12 18:10:48 -------- d-----w- c:\documents and settings\all users\application data\TP-LINK
.
==================== Find3M ====================
.
2011-10-01 02:49:38 138376 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-10-01 02:49:29 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-10-01 02:47:52 202448 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-26 22:21:30 42392 ----a-w- c:\windows\system32\xfcodec.dll
2011-07-21 13:45:44 271200 ----a-w- c:\windows\system32\PnkBstrB.xtr
.
============= FINISH: 23:44:15.64 ===============

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.
  
• Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please download DummyCreator.zip and unzip it.

• Run the tool.
  
• Copy and paste the following into the edit box:
  
  C:\WINDOWS\3009287083
  
  
• Press Create button and post the content of the Result.txt.
  
  Important: Restart the computer.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Hello Gringo, I have completed the DummyCreator zip step, but while trying to run Combofix, I am not able to disable my avast antivirus because when I would uncheck the Disable avast! self-defense module, it would check itself back. I am also unable to have the icon appear in my system tray. Now, I am stuck on the Combofix warning that says that I have avast running. What could I do now?

This is the result from DummyCreator.

DummyCreator by Farbar
Ran by Administrator (administrator) on 06-10-2011 at 15:04:43
**************************************************************

C:\WINDOWS\3009287083 [06-10-2011 15:01:58]

== End of log ==


I have been doing all of the steps on safe mode. Should I be doing this in normal mode?

do it in normal mode and if you can't shut down avast go ahead and run combofix


gringo

I was fforced to run Combofix in safemode because I was stuck on the page that said that avast was running. It said that a rootkit had been detected and needed to restart the machine, but right now nothing is happening and all I see is the black screen with "Safe Mode" in the lower corners.

restart again and let me know what happens


gringo

Ok, thanks. I have restarted the computer to normal mode this time, and it says "Combofix is preparing to run.."

Combofix Log:
ComboFix 11-10-06.03 - Administrator 10/06/2011 16:38:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1638 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Adobe\vigrs.exe
c:\documents and settings\Administrator\Application Data\dBrzPNycAuDoFpHOpen Cloud AV.ico
c:\documents and settings\Administrator\Application Data\GXwkUVrlOtOpen Cloud AV.ico
c:\documents and settings\Administrator\Application Data\R1ivD3onGaHsKfOpen Cloud AV.ico
c:\documents and settings\Administrator\Application Data\RnG4aQH6dKfLhXOpen Cloud AV.ico
c:\documents and settings\Administrator\Application Data\SjjjUCeekIrzPOpen Cloud AV.ico
c:\documents and settings\Administrator\Application Data\W1uvS2obFOpen Cloud AV.ico
c:\documents and settings\Administrator\Application Data\ZG4aQH6dW7R9TqUOpen Cloud AV.ico
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\documents and settings\LocalService\NTUSER.DAT.tmp
c:\documents and settings\NetworkService\NTUSER.DAT.tmp
c:\program files\google\common\google updater\googleupdaterservice.exe
C:\RealPlayer.exe
c:\windows\$NtUninstallKB2655$
c:\windows\$NtUninstallKB2655$\1350742924
c:\windows\$NtUninstallKB2655$\2870173363\@
c:\windows\$NtUninstallKB2655$\2870173363\bckfg.tmp
c:\windows\$NtUninstallKB2655$\2870173363\cfg.ini
c:\windows\$NtUninstallKB2655$\2870173363\Desktop.ini
c:\windows\$NtUninstallKB2655$\2870173363\keywords
c:\windows\$NtUninstallKB2655$\2870173363\kwrd.dll
c:\windows\$NtUninstallKB2655$\2870173363\L\yansraei
c:\windows\$NtUninstallKB2655$\2870173363\lsflt7.ver
c:\windows\$NtUninstallKB2655$\2870173363\U\00000001.@
c:\windows\$NtUninstallKB2655$\2870173363\U\00000002.@
c:\windows\$NtUninstallKB2655$\2870173363\U\80000000.@
c:\windows\$NtUninstallKB2655$\2870173363\U\80000032.@
c:\windows\3009287083
c:\windows\system32\d3d9caps.dat
c:\windows\system32\dumphive.exe
c:\windows\system32\logs
c:\windows\system32\logs\Ad-Aware event.log
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ab135eb3
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-10-06 20:09 . 2007-11-30 07:19 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-02 03:20 . 2011-10-02 03:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-01 23:36 . 2011-10-02 02:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-01 22:16 . 2011-10-01 22:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\N4pmG5sQJdKgZh
2011-10-01 22:16 . 2011-10-01 22:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\GXwkUVrlOt
2011-10-01 17:11 . 2011-10-01 17:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZG4aQH6dW7R9TqU
2011-10-01 17:11 . 2011-10-01 17:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\ucS1ibD3p
2011-10-01 16:50 . 2011-10-01 16:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\W1uvS2obF
2011-10-01 16:50 . 2011-10-01 16:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\jTXqjYCekBzNx
2011-10-01 16:45 . 2011-10-01 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\R1ivD3onGaHsKf
2011-10-01 16:45 . 2011-10-01 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\JOBtzP0yc
2011-10-01 16:41 . 2011-10-01 16:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\RnG4aQH6dKfLhX
2011-10-01 16:41 . 2011-10-01 16:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\iwkUVrlOBx0c1b3
2011-10-01 16:37 . 2011-10-01 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\HQH6dWK7fLhXjCl
2011-10-01 16:37 . 2011-10-01 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\dBrzPNycAuDoFpH
2011-10-01 16:34 . 2011-10-01 16:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\SjjjUCeekIrzP
2011-10-01 16:34 . 2011-10-01 16:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\iQQHH6sWW7fRLgX
2011-10-01 16:34 . 2011-10-01 16:34 2390016 ----a-w- c:\windows\system32\AddEEL8gRZqh.exe
2011-10-01 16:34 . 2011-10-01 16:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\uvDD22obF4pm5sJ
2011-09-21 01:17 . 2011-09-21 01:17 106496 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2011-09-21 01:17 . 2011-09-21 01:17 106496 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2011-09-13 21:48 . 2011-09-13 21:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2011-09-13 21:48 . 2011-09-13 21:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logishrd
2011-09-13 01:52 . 2011-09-30 22:42 -------- d-----w- c:\documents and settings\Administrator\riotsGamesLogs
2011-09-13 00:57 . 2011-09-13 00:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\LolClient
2011-09-12 21:27 . 2011-09-12 22:25 -------- d-----w- C:\League Of Legends
2011-09-12 21:25 . 2011-10-01 00:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2011-09-12 21:25 . 2011-10-01 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2011-09-12 21:25 . 2011-09-12 21:25 -------- d-----w- c:\program files\Pando Networks
2011-09-12 18:11 . 2010-01-05 07:31 1714176 ----a-r- c:\windows\system32\drivers\athuw.sys
2011-09-12 18:11 . 2010-01-05 07:31 1714176 ----a-r- c:\windows\system32\athuw.sys
2011-09-12 18:10 . 2011-09-12 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\TP-LINK
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 02:49 . 2008-04-13 00:18 138376 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-10-01 02:49 . 2008-04-13 00:18 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-10-01 02:47 . 2008-04-13 00:18 202448 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-09-21 01:17 . 2010-06-23 14:01 106496 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2011-08-31 21:00 . 2008-11-30 04:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-26 22:21 . 2011-08-26 22:21 42392 ----a-w- c:\windows\system32\xfcodec.dll
2011-07-21 13:45 . 2009-12-10 22:22 271200 ----a-w- c:\windows\system32\PnkBstrB.xtr
2009-05-23 20:15 . 2009-05-23 20:15 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-05-23 20:15 . 2009-05-23 20:15 107928 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2011-09-30 01:10 . 2011-05-22 19:56 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-14 4611456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX3000"="c:\windows\vVX3000.exe" [2009-07-24 762208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
"NoSMHelp"= 01000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Accessories\\Azureus\\Azureus.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Accessories\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Warcraft III\\War3.exe"=
"c:\\MVP Baseball 2005\\mvp2005.exe"=
"c:\\FIFA 2006\\FIFAWC06.exe"=
"c:\\Madden NFL 08\\mainapp.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Call of Duty 5\\CoDWaWmp.exe"=
"c:\\Call of Duty 5\\CoDWaW.exe"=
"c:\\GTA IV\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\GTA IV\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\GTA IV\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\NASCAR Thunder 2004\\NASCAR_Thunder_2004.exe"=
"c:\\NBA 2K10\\nba2k10.exe"=
"c:\\Program Files\\Teamspeak2\\server_windows.exe"=
"c:\\Program Files\\Call of Duty 4\\iw3mp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Tencent\\QQIntl\\Bin\\QQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Games\\NASCAR Thunder TM 2004\\NASCAR_Thunder_2004.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Tencent\\QQIntl\\Bin\\auclt.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"58557:TCP"= 58557:TCP:Pando Media Booster
"58557:UDP"= 58557:UDP:Pando Media Booster
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/20/2011 11:12 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/15/2010 8:22 AM 307928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/15/2010 8:22 AM 19544]
R2 WinDefend;Windows Defender;c:\program files\Accessories\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [4/8/2011 12:50 PM 20504]
R3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [4/8/2011 12:50 PM 21528]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [4/12/2010 9:13 AM 142336]
S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [9/12/2011 2:11 PM 1714176]
S3 SASENUM;SASENUM;c:\program files\Accessories\SUPERAntiSpyware\SASENUM.SYS [8/20/2008 12:34 AM 7408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Accessories\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hu3p0pw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-aawservice
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-06 16:52
Windows 5.1.2600 Service Pack 3, v.6055 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\Accessories\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1078081533-261478967-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:bd,0d,2c,c7,3f,a0,14,d6,eb,f6,cd,92,a2,a7,2a,72,7e,67,29,3b,89,
82,39,04,76,f5,a4,bb,28,06,4d,84,69,01,e3,37,45,d1,7c,cf,2b,2f,8e,08,d6,6c,\
"rkeysecu"=hex:c8,69,c9,10,72,59,72,eb,a2,c9,5a,c6,9a,8a,64,07
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="4468EB489B4406E0B8EE6E2C162A835424228518F10B7C1F8811CE4C33973A6107B3C3BBD366D80EE36FA0E8AACBD44F4EB510D79F39E0797F2CAC8AB02F0F1725EA549043C445FB204045A2CCB10DE98F118ED3447AA74E2B41D352E719F400762F5AAFD3C8301DB3BBECC2E050F66B39E608985FEB9DD309FADEEE963ADF64C0C4A7C49EBFD1EC50DFBFF67E7D2D9D8C8F1A73260DE4C308A9006FAED9158E4315A1C0745CB465A24EF631F373204C418372758342F3DC0DC1F9A758A431CE2EAD40D658B2B988474D61FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5555D575E7D6A3B9808FEBC9E127BECC74CD6C4A35DEA9840673F0BC53B3320848D6EC1DD270C8ED9FEC6B042265582B470FAC1A92CEE9F48E99ADAAB1456CDCF63AE8057E7C7416DB7ED4655FA765A90E4F19B9352D351741B10D892D8E3AF269E30252DEE27232277BD31833E8D1400F028326862001528EDEDBC67E2F39C2307BDE8537A93987077A443EB31F4BF7464CA168F44DFC8EE6743F87C5C22DF0B76E937A599F977F209D48813E90BE00023CD0F55B262BC742164AE08C59035415A8A3163B1CD8AE70E45BDDF52336F5CA5E8176ABAFB3789C769B621F2625052B6B6ABAC7B8391327D2E541EA6525865F7175DE241A3EF231DAE1DC70C43D56A204DAE8A0415BF59E48FF17CF955FA993B964437FBD5955A75D420DB0CDBE15CC16FF6652C003C0861AA6F8F3229AA1D236A62C37592C7EBBA3FB3A1425F011C5A80F48B27C5A10D2707DACC88413039785C024A8DDB1CB86A95FE45D402B4463A2C4D317F6CFEDAFC6C76118B9448D817F321EC75BA9AC695C4DED2B8FCF497CA5DD7EB917E5709BDE9B61B9B1DA18B6E8372B436B9C13DE0FDE23BBA8AA8718347A2358E872153DA52458FEFD9E107049C5D8F2869026987344CD47B6E315B73DCEBEC7A994896553C80F3924D9F216F95FBCBFADCBF3D549E15586E6B5FFCBDD82BD3ADCCABD74500F8B5DEFDE6D5DD0B1C20B22C554C2ABB67E25A4AF82598B70691D5B71EBBD53D742209F638460F5C4222A3738ED0FDC9A376DB59B7464C3B5B30747AE68F47556D6E96468836D62BA2D07B512D26584D5B7862E5C9763A673A1EDB3441BFEA6F9031DF003E8C9D60A88B36E866CED7105832B2C8526E5207E6AD370DDA612AF3BE6693B8B555DF257295A8E4626FAC9B16D162D6E58D9B265B16032DD72A7E920F6BB30CBF42AE6AD319F8ECBECF9C42426760EF0FD3301643700E424F7578BDC806161920A52D635322A1B30CDC01164368E9724C693E6CFE3C7F7E4D42BA2A6CDC64820E769485A9A0F0EBCFA847F12DAF93438F960981245ACE974E33FB52297B9BED37D2308CC6E88BCB"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(892)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2492)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\oodag.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2011-10-06 16:54:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-06 20:54
.
Pre-Run: 364,377,194,496 bytes free
Post-Run: 364,487,200,768 bytes free
.
- - End Of File - - A0912E03733AB2437FC763570D34DE3A

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\AddEEL8gRZqh.exe

Folder::
c:\documents and settings\Administrator\Application Data\N4pmG5sQJdKgZh
c:\documents and settings\Administrator\Application Data\GXwkUVrlOt
c:\documents and settings\Administrator\Application Data\ZG4aQH6dW7R9TqU
c:\documents and settings\Administrator\Application Data\ucS1ibD3p
c:\documents and settings\Administrator\Application Data\W1uvS2obF
c:\documents and settings\Administrator\Application Data\jTXqjYCekBzNx
c:\documents and settings\Administrator\Application Data\R1ivD3onGaHsKf
c:\documents and settings\Administrator\Application Data\JOBtzP0yc
c:\documents and settings\Administrator\Application Data\RnG4aQH6dKfLhX
c:\documents and settings\Administrator\Application Data\iwkUVrlOBx0c1b3
c:\documents and settings\Administrator\Application Data\HQH6dWK7fLhXjCl
c:\documents and settings\Administrator\Application Data\dBrzPNycAuDoFpH
c:\documents and settings\Administrator\Application Data\SjjjUCeekIrzP
c:\documents and settings\Administrator\Application Data\iQQHH6sWW7fRLgX

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

Hello, Combofix ran, but now it seems to be stuck at "Preparing log report, do not run any programs until Combofix has finished" It has shown this screen for more than 30 minutes already. Should I "x" the window?

This post has been edited by tn2642: 06 October 2011 - 06:06 PM

is it still stuck?



gringo

It was stuck for about 2 hours so I closed it, but it said it was not responding so I restarted the computer. There were no logs generated after restart.

This post has been edited by tn2642: 06 October 2011 - 09:16 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
  
• Wait 30 seconds, and then turn the computer on.
  
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  
• Ensure that the Safe Mode option is selected.
  
• Press Enter. The computer then begins to start in Safe mode.
  
• Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo

Ok, thanks. Would I be dragging the CFScript to the Combofix like last step?

This post has been edited by tn2642: 06 October 2011 - 09:28 PM

Yes please do


gringo