BleepingComputer.com: infected with tdss Having popups on my malware bytes

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

infected with tdss Having popups on my malware bytes No clue how to remove it Any help appreciated.

#1 User is offline   mtfdben58 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 04-October 11

Posted 04 October 2011 - 04:41 PM

Received a bug the other day. my computer is slow, can not run antivirus. Malware keeps stating it's blocking outgoing popups in lower right hand tray.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by benjamin at 14:05:36 on 2011-10-04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.89 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\3491893055:3237010735.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Keyboard & Mouse Driver\KMWDSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Babylon-English Toolbar: {ce18769b-c7fa-42d2-860d-17c4662c70ad} - c:\program files\babylon-english\tbBaby.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\videod~1\ARCURL~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Verizon SMB Toolbar: {a057a204-bacc-4d26-dfc4-79a09bf76bc9} - c:\progra~1\vzsmbtb\vzsmbtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Verizon SMB Toolbar: {a057a204-bacc-4d26-dfc4-79a09bf76bc9} - c:\progra~1\vzsmbtb\vzsmbtb.dll
TB: Babylon-English Toolbar: {ce18769b-c7fa-42d2-860d-17c4662c70ad} - c:\program files\babylon-english\tbBaby.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\benjamin\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
StartupFolder: c:\docume~1\benjamin\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9C06DD4D-E102-4BB6-9EF0-71FE938E3BBB} : DhcpNameServer = 192.168.1.1
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\benjamin\application data\mozilla\firefox\profiles\k629nd0g.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\benjamin\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\benjamin\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\verizon\vsp\nprpspa.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-5 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-5 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-5 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-5 297752]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\keyboard & mouse driver\KMWDSrv.exe [2007-4-5 208896]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-26 366152]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-8-12 87040]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-26 22216]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2011-1-19 13312]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-5 908056]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 136176]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2011-6-9 31312]
S3 easytether;easytether;c:\windows\system32\drivers\easytthr.sys --> c:\windows\system32\drivers\easytthr.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-1-23 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-1-23 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys [2011-6-9 31312]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2011-1-19 9472]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-1-16 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S4 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-1-16 237568]
S4 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-1-18 668912]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-09 02:02:23 13685936 ----a-w- C:\Firefox Setup 5.0.1.exe
2011-07-19 15:28:06 13312 ----a-w- c:\windows\system32\drivers\pneteth.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2009-04-10 22:47:32 174207416 -c--a-w- c:\program files\rw2_021_w02_enu.exe
2009-04-10 21:42:16 3938520 -c--a-w- c:\program files\hpDriverDetective.exe
2009-04-06 01:31:17 10553792 -c--a-w- c:\program files\Vuze_Installer.exe
2009-04-05 04:05:58 63049904 -c--a-w- c:\program files\avg_free_stf_en_85_285a1462.exe
.
============= FINISH: 14:08:53.48 ===============

Attached File(s)

  • Attached File  attach.txt (20.89K)
    Number of downloads: 3
  • Attached File  ark.txt (4.36K)
    Number of downloads: 1

#2 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 04 October 2011 - 08:20 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#3 User is offline   mtfdben58 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 04-October 11

Posted 04 October 2011 - 09:32 PM

It will not let me disable AVG. Guy I work with even tried msconfig to shut it off manually and it still says it's running after combofix runs it's initial test. My question is where do i go from here. Combofix says it will continue to run but at my own risk. Thanks in advance.

#4 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 05 October 2011 - 12:52 AM

temporarily uninstall AVG

use the app remover:

Please download AppRemover and save it to your desktop.
  • Double click on AppRemover.exe to run it.
  • Uncheck "Enable anonymous usage statistics. No personal data will be recorded."
  • Click on the Next button.
  • Click on "Remove Security Application" or "Clean Up a Failed Uninstall" depending on what you want to do. (you want the failed uninstall)
  • Click on the Next button.
  • A scan begins, please wait. Once done, click on the Next button.
  • Now you should have a list of your installed programs, choose the one you want to remove and click on the Next button. (AVG)
  • Follow the last step and reboot if asked to do so.

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#5 User is offline   mtfdben58 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 04-October 11

Posted 05 October 2011 - 08:12 AM

Thank You I am doing that now Will try and finish the last step you asked for. Thank you again.

#6 User is offline   mtfdben58 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 04-October 11

Posted 05 October 2011 - 09:02 AM

Ok tried this multiple times. the program shuts off around 28% tried it in safe mode ran its course but did not find avg. Checked under add remove programs no mention of avg. Tried combofix again same.message. please turn off avg, u can continue but at your own risk.

#7 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 05 October 2011 - 02:39 PM

it is just finding remnants in the WMI, it's safe to continue on
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#8 User is offline   mtfdben58 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 04-October 11

Posted 05 October 2011 - 08:49 PM

Finally got combofix to run with no issues. Here is the attached log. Only problem I had was with The recovery COnsole was not on my computer and failed to download. Let me know where to go from here. Thanks again.

ComboFix 11-10-04.04 - benjamin 10/05/2011 21:18:44.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.718 [GMT -4:00]
Running from: c:\documents and settings\benjamin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\benjamin\Application Data\alot
c:\program files\avg_free_stf_en_85_285a1462.exe
c:\windows\$NtUninstallKB57888$\1057956560\@
c:\windows\$NtUninstallKB57888$\1057956560\bckfg.tmp
c:\windows\$NtUninstallKB57888$\1057956560\cfg.ini
c:\windows\$NtUninstallKB57888$\1057956560\Desktop.ini
c:\windows\$NtUninstallKB57888$\1057956560\keywords
c:\windows\$NtUninstallKB57888$\1057956560\kwrd.dll
c:\windows\$NtUninstallKB57888$\1057956560\L\ymtdkmmj
c:\windows\$NtUninstallKB57888$\1057956560\lsflt7.ver
c:\windows\$NtUninstallKB57888$\1057956560\U\00000001.@
c:\windows\$NtUninstallKB57888$\1057956560\U\00000002.@
c:\windows\$NtUninstallKB57888$\1057956560\U\80000000.@
c:\windows\$NtUninstallKB57888$\1057956560\U\80000032.@
c:\windows\$NtUninstallKB57888$\328467387
c:\windows\$NtUninstallKB57888$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_3f0f22d0
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-09-28 15:41 . 2011-10-06 01:33 -------- d-----w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc
2011-09-27 13:25 . 2011-09-27 13:25 -------- d-----w- c:\documents and settings\benjamin\Application Data\UyyycA1ivD2
2011-09-27 13:25 . 2011-09-27 13:25 -------- d-----w- c:\documents and settings\benjamin\Application Data\uRRL9hhTXjUCItz
2011-09-27 12:48 . 2011-09-27 12:48 -------- d-----w- c:\documents and settings\benjamin\Application Data\wHH66sWKfELgTqY
2011-09-27 12:48 . 2011-09-27 12:48 -------- d-----w- c:\documents and settings\benjamin\Application Data\deekkIBrzNyx
2011-09-27 11:55 . 2011-09-27 11:55 -------- d-----w- c:\documents and settings\benjamin\Application Data\ZlBPy1b3oG4aHsK
2011-09-27 11:55 . 2011-09-27 11:55 -------- d-----w- c:\documents and settings\benjamin\Application Data\xSS2obpG5Qd8g9X
2011-09-27 11:46 . 2011-09-27 11:46 -------- d-----w- c:\documents and settings\benjamin\Application Data\CcAi24m5W7E8TqY
2011-09-27 11:46 . 2011-09-27 11:46 -------- d-----w- c:\documents and settings\benjamin\Application Data\bibbD3nG47UN1ms
2011-09-27 11:39 . 2011-09-27 11:39 118590 ----a-w- C:\sdasetup_revwire207.exe
2011-09-27 11:36 . 2011-09-27 11:36 -------- d-----w- c:\documents and settings\benjamin\Application Data\eQQHH6sWK7RLgT
2011-09-27 11:36 . 2011-09-27 11:36 -------- d-----w- c:\documents and settings\benjamin\Application Data\QYCCekVNob5sJdK
2011-09-27 11:24 . 2011-09-27 11:24 -------- d-----w- c:\documents and settings\benjamin\Application Data\C7fLgZjCkVzNx0v
2011-09-27 11:24 . 2011-09-27 11:24 -------- d-----w- c:\documents and settings\benjamin\Application Data\aiib355a6d
2011-09-27 11:21 . 2011-09-27 11:22 -------- d-----w- c:\documents and settings\Administrator
2011-09-27 11:09 . 2011-09-27 11:09 -------- d-----w- c:\documents and settings\benjamin\Application Data\sOOBtxxP0cS1b3o
2011-09-27 11:09 . 2011-09-27 11:09 -------- d-----w- c:\documents and settings\benjamin\Application Data\XmH66sWJ7fL9TZj
2011-09-27 03:58 . 2011-09-27 03:58 -------- d-----w- c:\documents and settings\benjamin\Application Data\pggTTZqhYCkIrlN
2011-09-27 03:58 . 2011-09-27 03:58 -------- d-----w- c:\documents and settings\benjamin\Application Data\bppnnG5aQJdW8R9
2011-09-27 03:44 . 2011-09-27 03:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-27 03:33 . 2011-09-27 11:06 -------- d-----w- c:\documents and settings\benjamin\Application Data\VwwwjUVVelBtz0c
2011-09-27 03:33 . 2011-09-27 03:33 -------- d-----w- c:\documents and settings\benjamin\Application Data\pKK88fRZ9
2011-09-27 03:33 . 2011-09-27 03:33 -------- d-----w- c:\documents and settings\benjamin\Application Data\wZZqhYXwUVrlB
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2009-01-16 23:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00 . 2011-01-26 15:12 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-09 02:02 . 2011-08-09 02:00 13685936 ----a-w- C:\Firefox Setup 5.0.1.exe
2011-07-19 15:28 . 2011-01-19 23:16 13312 ----a-w- c:\windows\system32\drivers\pneteth.sys
2011-07-15 13:29 . 2009-01-16 23:18 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2009-01-16 23:18 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2009-04-10 22:47 . 2009-04-10 22:47 174207416 -c--a-w- c:\program files\rw2_021_w02_enu.exe
2009-04-10 21:42 . 2009-04-10 21:42 3938520 -c--a-w- c:\program files\hpDriverDetective.exe
2009-04-06 01:31 . 2009-04-06 01:27 10553792 -c--a-w- c:\program files\Vuze_Installer.exe
2011-09-07 21:26 . 2011-08-09 02:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-08-22 593920]
.
c:\documents and settings\benjamin\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2011-10-2 480880]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^benjamin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\benjamin\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^benjamin^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\benjamin\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^benjamin^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\benjamin\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 -c--a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 17:32 203264 -c--a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2010-07-08 23:02 2048352 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-01-25 10:45 53248 ----a-w- c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-02 03:12 136176 ----atw- c:\documents and settings\benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 01:00 166424 ------w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-16 01:54 178712 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 01:00 141848 ------w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KMCONFIG]
2007-03-06 18:51 212992 ----a-w- c:\program files\Keyboard & Mouse Driver\StartAutorun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-12-30 07:09 875016 -c--a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 13:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 -c----w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotificationCenterLauncher]
2008-12-22 20:00 225280 -c--a-w- c:\program files\Acer\Acer eRecovery Management\NotificationLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2008-10-31 16:17 95536 -c----w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-28 01:00 137752 ------w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 -c----w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 -c----w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2008-07-03 23:58 94208 -c--a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-15 23:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-12-26 08:20 18081280 -c--a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2008-11-04 03:00 196608 ------w- c:\windows\system32\csnp2uvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-28 17:25 148888 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-11-20 09:38 1398056 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2009-11-18 15:50 4269296 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2009-12-28 21:17 1551872 ----a-w- c:\program files\Verizon\McciTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RS_Service"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ACDaemon"=2 (0x2)
"ServicepointService"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"gupdate"=2 (0x2)
"ASKUpgrade"=2 (0x2)
"ASKService"=2 (0x2)
"RoxWatch9"=2 (0x2)
"McciCMService"=2 (0x2)
"IDriverT"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Acer\\Acer VCM\\VC.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\HTC\\HTC Sync 3.0\\adb.exe"=
"c:\\Program Files\\HTC\\HTC Sync 3.0\\htcUPCTLoader.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:MyOKOPort
"9212:TCP"= 9212:TCP:SkyCaddie Desktop
"9210:UDP"= 9210:UDP:SkyCaddie Desktop
.
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Keyboard & Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2011 11:12 AM 22216]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [1/19/2011 7:16 PM 13312]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2011 11:12 AM 366152]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [6/9/2011 5:59 PM 31312]
S3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys --> c:\windows\system32\DRIVERS\easytthr.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [1/23/2011 10:45 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [1/23/2011 10:45 PM 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:06 PM 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys [6/9/2011 5:59 PM 31312]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [1/19/2011 7:16 PM 9472]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [1/16/2009 8:26 PM 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:06 PM 136176]
S4 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [8/12/2011 5:13 PM 87040]
S4 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [1/16/2009 9:02 PM 237568]
S4 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [1/18/2010 4:08 PM 668912]
.
Contents of the 'Scheduled Tasks' folder
.
2009-07-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4239404004.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:05]
.
2011-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:05]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3588590466-972670786-3454122357-1006Core.job
- c:\documents and settings\benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 03:12]
.
2011-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3588590466-972670786-3454122357-1006UA.job
- c:\documents and settings\benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 03:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.9.1
FF - ProfilePath - c:\documents and settings\benjamin\Application Data\Mozilla\Firefox\Profiles\k629nd0g.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ce18769b-c7fa-42d2-860d-17c4662c70ad} - c:\program files\Babylon-English\tbBaby.dll
Toolbar-{ce18769b-c7fa-42d2-860d-17c4662c70ad} - c:\program files\Babylon-English\tbBaby.dll
Notify-avgrsstarter - (no file)
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-CaddieSyncLauncher - c:\program files\SkyGolf\SkyCaddie Desktop\CaddieSyncLauncher.exe
MSConfigStartUp-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-sysfbtray - c:\windows\bill104.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-05 21:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\benjamin\LOCALS~1\Temp\tmp318.tmp1
c:\docume~1\benjamin\LOCALS~1\Temp\tmp569.tmp1
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1824)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-10-05 21:37:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-06 01:37
.
Pre-Run: 108,490,391,552 bytes free
Post-Run: 109,993,287,680 bytes free
.
- - End Of File - - DF3F38671EDD186CC21186243D35BCA2

#9 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 05 October 2011 - 09:20 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic421901.html/page__gopid__2431219#entry2431219

Collect::
c:\windows\bill104.exe

Rootkit::
c:\windows\$NtUninstallKB57888$
c:\docume~1\benjamin\LOCALS~1\Temp\tmp318.tmp1
c:\docume~1\benjamin\LOCALS~1\Temp\tmp569.tmp1

DirLook::
c:\documents and settings\benjamin\Local Settings\Application Data\Htc

Folder::
c:\documents and settings\benjamin\Application Data\UyyycA1ivD2
c:\documents and settings\benjamin\Application Data\uRRL9hhTXjUCItz
c:\documents and settings\benjamin\Application Data\wHH66sWKfELgTqY
c:\documents and settings\benjamin\Application Data\deekkIBrzNyx
c:\documents and settings\benjamin\Application Data\ZlBPy1b3oG4aHsK
c:\documents and settings\benjamin\Application Data\xSS2obpG5Qd8g9X
c:\documents and settings\benjamin\Application Data\CcAi24m5W7E8TqY
c:\documents and settings\benjamin\Application Data\bibbD3nG47UN1ms
c:\documents and settings\benjamin\Application Data\eQQHH6sWK7RLgT
c:\documents and settings\benjamin\Application Data\QYCCekVNob5sJdK
c:\documents and settings\benjamin\Application Data\C7fLgZjCkVzNx0v
c:\documents and settings\benjamin\Application Data\aiib355a6d
c:\documents and settings\benjamin\Application Data\sOOBtxxP0cS1b3o
c:\documents and settings\benjamin\Application Data\XmH66sWJ7fL9TZj
c:\documents and settings\benjamin\Application Data\pggTTZqhYCkIrlN
c:\documents and settings\benjamin\Application Data\bppnnG5aQJdW8R9
c:\documents and settings\benjamin\Application Data\VwwwjUVVelBtz0c
c:\documents and settings\benjamin\Application Data\pKK88fRZ9
c:\documents and settings\benjamin\Application Data\wZZqhYXwUVrlB

ClearJavaCache::


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

This post has been edited by CatByte: 05 October 2011 - 09:22 PM

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#10 User is offline   mtfdben58 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 04-October 11

Posted 05 October 2011 - 10:10 PM

ComboFix 11-10-04.04 - benjamin 10/05/2011 22:54:34.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.650 [GMT -4:00]
Running from: c:\documents and settings\benjamin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\benjamin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\benjamin\Application Data\aiib355a6d
c:\documents and settings\benjamin\Application Data\bibbD3nG47UN1ms
c:\documents and settings\benjamin\Application Data\bppnnG5aQJdW8R9
c:\documents and settings\benjamin\Application Data\C7fLgZjCkVzNx0v
c:\documents and settings\benjamin\Application Data\CcAi24m5W7E8TqY
c:\documents and settings\benjamin\Application Data\deekkIBrzNyx
c:\documents and settings\benjamin\Application Data\eQQHH6sWK7RLgT
c:\documents and settings\benjamin\Application Data\pggTTZqhYCkIrlN
c:\documents and settings\benjamin\Application Data\pKK88fRZ9
c:\documents and settings\benjamin\Application Data\QYCCekVNob5sJdK
c:\documents and settings\benjamin\Application Data\sOOBtxxP0cS1b3o
c:\documents and settings\benjamin\Application Data\uRRL9hhTXjUCItz
c:\documents and settings\benjamin\Application Data\UyyycA1ivD2
c:\documents and settings\benjamin\Application Data\VwwwjUVVelBtz0c
c:\documents and settings\benjamin\Application Data\wHH66sWKfELgTqY
c:\documents and settings\benjamin\Application Data\wZZqhYXwUVrlB
c:\documents and settings\benjamin\Application Data\XmH66sWJ7fL9TZj
c:\documents and settings\benjamin\Application Data\xSS2obpG5Qd8g9X
c:\documents and settings\benjamin\Application Data\ZlBPy1b3oG4aHsK
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-09-28 15:41 . 2011-10-06 03:04 -------- d-----w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc
2011-09-27 11:39 . 2011-09-27 11:39 118590 ----a-w- C:\sdasetup_revwire207.exe
2011-09-27 11:21 . 2011-09-27 11:22 -------- d-----w- c:\documents and settings\Administrator
2011-09-27 03:44 . 2011-09-27 03:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2009-01-16 23:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00 . 2011-01-26 15:12 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-09 02:02 . 2011-08-09 02:00 13685936 ----a-w- C:\Firefox Setup 5.0.1.exe
2011-07-19 15:28 . 2011-01-19 23:16 13312 ----a-w- c:\windows\system32\drivers\pneteth.sys
2011-07-15 13:29 . 2009-01-16 23:18 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2009-01-16 23:18 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2009-04-10 22:47 . 2009-04-10 22:47 174207416 -c--a-w- c:\program files\rw2_021_w02_enu.exe
2009-04-10 21:42 . 2009-04-10 21:42 3938520 -c--a-w- c:\program files\hpDriverDetective.exe
2009-04-06 01:31 . 2009-04-06 01:27 10553792 -c--a-w- c:\program files\Vuze_Installer.exe
2011-09-07 21:26 . 2011-08-09 02:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\benjamin\Local Settings\Application Data\Htc ----
.
2011-09-28 15:41 . 2011-10-06 03:04 283 ----a-w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc\CommunicationProtocol.xml
2011-09-28 15:41 . 2011-10-06 03:04 912 ----a-w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc\ROUTE66UIPreferences.xml
2011-09-28 15:41 . 2011-10-06 03:04 15841 ----a-w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc\ROUTE66Engine.log
2011-09-28 15:41 . 2011-10-06 01:37 27239 ----a-w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc\ROUTE66Engine.log.0000
2011-09-28 15:41 . 2011-10-06 01:10 27345 ----a-w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc\ROUTE66Engine.log.0001
2011-09-28 15:41 . 2011-10-05 13:57 27247 ----a-w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc\ROUTE66Engine.log.0002
2011-09-28 15:41 . 2011-10-05 13:08 27239 ----a-w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc\ROUTE66Engine.log.0003
2011-09-28 15:41 . 2011-10-06 03:04 1432 ----a-w- c:\documents and settings\benjamin\Local Settings\Application Data\Htc\R66Api.log
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-08-22 593920]
.
c:\documents and settings\benjamin\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2011-10-2 480880]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^benjamin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\benjamin\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^benjamin^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\benjamin\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^benjamin^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\benjamin\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 -c--a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 17:32 203264 -c--a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2010-07-08 23:02 2048352 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-01-25 10:45 53248 ----a-w- c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-02 03:12 136176 ----atw- c:\documents and settings\benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 01:00 166424 ------w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-16 01:54 178712 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 01:00 141848 ------w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KMCONFIG]
2007-03-06 18:51 212992 ----a-w- c:\program files\Keyboard & Mouse Driver\StartAutorun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-12-30 07:09 875016 -c--a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 13:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 -c----w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotificationCenterLauncher]
2008-12-22 20:00 225280 -c--a-w- c:\program files\Acer\Acer eRecovery Management\NotificationLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2008-10-31 16:17 95536 -c----w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-28 01:00 137752 ------w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 -c----w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 -c----w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2008-07-03 23:58 94208 -c--a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-15 23:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-12-26 08:20 18081280 -c--a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2008-11-04 03:00 196608 ------w- c:\windows\system32\csnp2uvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-28 17:25 148888 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-11-20 09:38 1398056 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2009-11-18 15:50 4269296 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2009-12-28 21:17 1551872 ----a-w- c:\program files\Verizon\McciTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RS_Service"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ACDaemon"=2 (0x2)
"ServicepointService"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"gupdate"=2 (0x2)
"ASKUpgrade"=2 (0x2)
"ASKService"=2 (0x2)
"RoxWatch9"=2 (0x2)
"McciCMService"=2 (0x2)
"IDriverT"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Acer\\Acer VCM\\VC.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\HTC\\HTC Sync 3.0\\adb.exe"=
"c:\\Program Files\\HTC\\HTC Sync 3.0\\htcUPCTLoader.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:MyOKOPort
"9212:TCP"= 9212:TCP:SkyCaddie Desktop
"9210:UDP"= 9210:UDP:SkyCaddie Desktop
.
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Keyboard & Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2011 11:12 AM 22216]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [1/19/2011 7:16 PM 13312]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2011 11:12 AM 366152]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [6/9/2011 5:59 PM 31312]
S3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys --> c:\windows\system32\DRIVERS\easytthr.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [1/23/2011 10:45 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [1/23/2011 10:45 PM 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:06 PM 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys [6/9/2011 5:59 PM 31312]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [1/19/2011 7:16 PM 9472]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [1/16/2009 8:26 PM 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:06 PM 136176]
S4 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [8/12/2011 5:13 PM 87040]
S4 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [1/16/2009 9:02 PM 237568]
S4 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [1/18/2010 4:08 PM 668912]
.
Contents of the 'Scheduled Tasks' folder
.
2009-07-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4239404004.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:05]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 00:05]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3588590466-972670786-3454122357-1006Core.job
- c:\documents and settings\benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 03:12]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3588590466-972670786-3454122357-1006UA.job
- c:\documents and settings\benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 03:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.9.1
FF - ProfilePath - c:\documents and settings\benjamin\Application Data\Mozilla\Firefox\Profiles\k629nd0g.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-05 23:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-10-05 23:08:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-06 03:08
ComboFix2.txt 2011-10-06 01:37
.
Pre-Run: 109,880,422,400 bytes free
Post-Run: 109,929,992,192 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B013CC370B8138AF25C7E0F02BEAF5F7

#11 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 06 October 2011 - 06:47 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#12 User is offline   mtfdben58 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 04-October 11

Posted 06 October 2011 - 11:48 PM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7890

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/6/2011 9:38:39 PM
mbam-log-2011-10-06 (21-38-39).txt

Scan type: Quick scan
Objects scanned: 177993
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:


(No malicious items detected)


C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0198439.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0198450.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0202468.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0202492.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0202508.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0202534.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0202565.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0202613.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP522\A0203612.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP523\A0203652.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP523\A0203694.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP526\A0204693.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP526\A0205693.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP526\A0206693.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP526\A0207693.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP526\A0208693.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP527\A0208735.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP527\A0209735.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP527\A0210735.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP529\A0211735.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP529\A0212735.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP529\A0212757.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP530\A0213764.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP531\A0213775.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP538\A0214068.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP538\A0215068.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP540\A0215160.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP541\A0215178.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP542\A0215194.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP542\A0215238.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP543\A0216238.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP543\A0217238.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP543\A0217263.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP543\A0217274.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP543\A0217301.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP545\A0217468.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP546\A0218468.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP547\A0218504.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP547\A0219508.sys a variant of Win32/Olmarik.AXN trojan
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP547\A0220664.sys a variant of Win32/Olmarik.AXN trojan
C:\WINDOWS\system32\drivers\intelppm.sys a variant of Win32/Olmarik.AXN trojan

#13 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 07 October 2011 - 05:05 AM

Those detections (except one) are in old system restore points that we will flush out shortly, first please upload the following:


submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\WINDOWS\system32\drivers\intelppm.sys
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.




NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and save it to your desktop.
  • Scroll down to where it says JDK 7 (JDK or JRE)
  • Click the Download JDK button tunderneath
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Oracle Binary Code License Agreement for Java SE ". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.




NEXT


Please advise how your computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#14 User is offline   mtfdben58 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 17
  • Joined: 04-October 11

Posted 07 October 2011 - 08:07 AM

http://www.virustotal.com/file-scan/report.html?id=1e426526bd1b5a78cd5d3c388fd0556d89b859b047f463ea4427cfc23b183966-1317988016



java and adobe updated. seems to be running much better.

Thank you so much for all of your time up to this point.

#15 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 07 October 2011 - 09:00 AM

OK

That file is definitely patched, but we can't just delete it, we need to find a replacement

please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
*intelppm*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users