BleepingComputer.com: Suspected System Fix infection

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Suspected System Fix infection

#1 User is offline   oozinator 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 30-November 11

Posted 30 November 2011 - 11:46 PM

Hello, I believe I acquired a System Fix or similar infection on the night of Monday, Nov. 28, 2011.

OS is Windows Vista Home Premium (32-bit)

Symptoms are as follows:

- Empty "Start Menu"
- Empty desktop except for "My Computer", "Internet Explorer", and "Recycle Bin" (other shortcuts were found to be given hidden attributes)
- About 30 seconds after getting onto the desktop, about a dozen pseudo-alerts pop up telling me of some sort of "Delayed Write Failed" error followed by one saying that I have a possible hard drive error and that I should "Scan and Fix Now (Recomended)". "Recomended" is spelled as is.
- Safe Mode appears to run normally, but upon boot to desktop I first see all my shortcuts and then they are hidden from sight.

At the time of infection, User Access Control (UAC) was off and Windows Firewall and Defender were on but no other AV program. I had dumped KAV 2011 a few months ago after I suspected it of giving my laptop BSoDs and have not used a replacement AV program since. Since then, I was infected one other time by the OpenCloud Trojan, but I was able to enter use System Restore to get rid of that. There was another time between me dumping KAV2011 and acquire the OpenCloud Trojan where I had to rebuild the MBR but not sure if malware was at work. About 2 years ago, I killed another unknown infection on my own using ComboFix.

Steps I have already done for this infection (in order):

-Ran DDS.scr under a different name and acquired logs.
-Ran DeFogger under a different name and successfully disabled any CD-Emulators
-Ran GMER under a different name but it was stopped prematurely by the infection.
-Ran GMER under another different name second time but I got a BSoD ("Page fault in nonpaged area") while running it.
-Started Windows in Safe Mode with Networking and entered used regedit to terminate registry keys listed here: System Fix Removal Process (remove SystemFix) - PCHubs.com

I have yet to run RKill, install & update MBAM, or run ComboFix. I've copied all the files I wanted to keep, but do not have access to a CD with a fresh Vista Install. I do have the Vista Recovery Disc.

Thank you for your help. Logs available upon request.

#2 User is offline   oozinator 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 30-November 11

Posted 01 December 2011 - 02:38 AM

Here's a PNG of my first run of GMER. It was stopped before it could finish.

Posted Image

DDS Log below, Attach.txt attached:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
Run by Marty at 2:09:38 on 2011-11-30
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2019 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\lxbccoms.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Fujitsu\fjdvrupd\updnvsrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Softex\OmniPass\opvapp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Fujitsu\fjdvrupd\updatenv.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\realplayer\Update\realsched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\ProgramData\GGyfLFDEWNT.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Users\Marty\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\attrib.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://scrim.clan.su
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Google Update] "c:\users\marty\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [TvOutSwitch] c:\program files\fujitsu\dispswitch\DispSwitchLauncher.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\fjdvrupd\updatenv.exe
mRun: [ATSwpNav] "c:\program files\fingerprint sensor\ATSwpNav" -run
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [TkBellExe] "c:\program files\realplayer\update\realsched.exe" -osboot
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [GGyfLFDEWNT.exe] c:\programdata\GGyfLFDEWNT.exe
dRun: [Microsoft Update] c:\windows\system32\config\systemprofile\appdata\local\microsoft\microsoftupdate\Microsoftupdt32.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
StartupFolder: c:\users\marty\appdata\roaming\micros~1\windows\startm~1\programs\startup\maxtv.lnk - c:\program files\dmv\maxtv4\maxtv.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5456F8E6-9F05-4582-9FCB-D52FB4BFA5E2} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CF1F096F-6FE5-4A79-A08D-25DF89CF4DBD} : DhcpNameServer = 192.168.0.1 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: c:\progra~1\google\google~2\googledesktopnetwork3.d c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\marty\appdata\roaming\mozilla\firefox\profiles\vrom0irr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - component: c:\users\marty\appdata\roaming\mozilla\firefox\profiles\vrom0irr.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\users\marty\appdata\roaming\mozilla\firefox\profiles\vrom0irr.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07010901.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\marty\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2007-11-21 8960]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-10-2 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-5-11 35456]
R1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [2009-3-18 22400]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-3-8 176128]
R2 FJVBCtrl;FJVBCtrl;c:\program files\fujitsu\fujitsu hotkey utility\FJVBCtrl.sys [2007-2-16 12848]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-23 21504]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 UpdateNaviInstallService;UpdateNaviInstallService;c:\program files\fujitsu\fjdvrupd\updnvsrv.exe [2007-1-27 11776]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-3-9 7723008]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-3-8 239616]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2007-11-21 5632]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2009-3-18 27648]
S2 avplol;avplol;c:\program files\kaspersky lab\kaspersky internet security 2009\avplol.exe [2008-11-11 206088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9cdccdd4e72c8;Google Update Service (gupdate1c9cdccdd4e72c8);c:\program files\google\update\GoogleUpdate.exe [2009-5-5 133104]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [2008-9-22 3872]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2009-3-18 55808]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-18 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-5 133104]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\system32\drivers\USBAVCap.sys [2008-10-5 785408]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2009-10-20 163840]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 BOHCI;BOHCI;c:\windows\system32\drivers\bohci.sys [2009-1-26 105344]
S4 BUHCI;BUHCI;c:\windows\system32\drivers\buhci.sys [2009-1-26 99296]
S4 BUSBD;BUSBD;c:\windows\system32\drivers\busbd.sys [2009-1-26 35584]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2011-4-24 367456]
.
=============== Created Last 30 ================
.
2011-11-30 08:30:45 56200 ---ha-w- c:\programdata\microsoft\windows defender\definition updates\{9fc1980c-2f32-47af-a70d-fd04f2de17c1}\offreg.dll
2011-11-30 07:36:28 6668624 ---ha-w- c:\programdata\microsoft\windows defender\definition updates\{9fc1980c-2f32-47af-a70d-fd04f2de17c1}\mpengine.dll
2011-11-29 06:43:00 467968 ---ha-w- c:\programdata\GGyfLFDEWNT.exe
2011-11-10 03:13:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-11-10 03:13:28 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 03:13:14 707584 ----a-w- c:\program files\common files\system\wab32.dll
.
==================== Find3M ====================
.
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 2:22:15.55 ===============

Attached File(s)


#3 User is offline   Orange Blossom 

  • OBleepin Investigator
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Moderator
  • Posts: 29,827
  • Joined: 14-July 06
  • Gender:Not Telling
  • Location:Bloomington, IN

Posted 01 December 2011 - 03:12 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 05 December 2011 - 11:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430173 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 User is offline   oozinator 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 30-November 11

Posted 06 December 2011 - 11:24 PM

An interesting development has occurred. I just booted up my computer after having not turned it for a week, and the malware behavior is completely different.

Internet browsing is possible but very slow.
Hidden files become unhidden if you access their folders.
Start Menu items are still missing.
There are no more annoying popups of "Delayed Write Failed" or other fake system messages.
A "Network Flyout" window appeared on the taskbar.

I tried running DDS.scr, but the program hung at 54 hashmarks (about 80%). I had let the program run for about 30 minutes.

Anyone seen this kind of malware behavior before?

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 07 December 2011 - 10:00 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   oozinator 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 30-November 11

Posted 07 December 2011 - 09:29 PM

Update: When I logged in to try to run ComboFix, the Desktop and computer performance seemed normal! No pop ups, no hidden files. It was as if there was no malware at all.

Should I still run ComboFix?

#8 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 December 2011 - 09:11 AM

Hello


yes I still want you to run it


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   oozinator 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 30-November 11

Posted 09 December 2011 - 10:40 PM

ComboFix 11-12-09.04 - Marty 12/09/2011 18:25:41.3.2 - x86
Running from: c:\users\Marty\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB16512$
c:\windows\$NtUninstallKB16512$\1911354910
c:\windows\system32\CF20905.exe
c:\windows\system32\CF21130.exe
c:\windows\system32\CF21277.exe
c:\windows\system32\ReadMe.txt
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy6_!Windows!System32!userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
.
.
2011-12-10 02:57 . 2011-12-10 02:57 -------- d-----w- C:\found.000
2011-12-10 02:49 . 2011-12-10 03:06 -------- d-----w- c:\users\Marty\AppData\Local\temp
2011-12-10 02:49 . 2011-12-10 02:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-10 03:13 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-10 03:13 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 03:13 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 03:04 . 2011-12-10 03:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B2249A43-48A7-4080-9F38-E37DC5B49D2E}\offreg.dll
2011-12-07 05:13 . 2009-10-04 00:07 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-21 10:47 . 2011-12-07 05:13 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B2249A43-48A7-4080-9F38-E37DC5B49D2E}\mpengine.dll
2011-05-03 20:53 . 2011-03-27 05:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-06-19 05:03 . 2009-12-12 23:55 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-11-10 01:38 2331672 ----a-w- c:\program files\Freecorder\tbFree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2007-10-01 106496]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2007-10-24 2564096]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2006-11-26 260912]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2007-06-13 84784]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2006-11-13 68400]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-10 97072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-19 30192]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-26 151552]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"QuickTime Task"="c:\program files\quicktime\QTTask.exe" [2010-11-30 421888]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 336384]
"TkBellExe"="c:\program files\realplayer\update\realsched.exe" [2011-06-18 273544]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-06-10 231888]
.
c:\users\Marty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MaxTV.lnk - c:\program files\DMV\MaxTV4\maxtv.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\L:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 avplol;avplol;c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avplol.exe [2009-02-10 206088]
R2 gupdate1c9cdccdd4e72c8;Google Update Service (gupdate1c9cdccdd4e72c8);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 133104]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\DRIVERS\evserial.sys [2008-05-19 55808]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-19 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 133104]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [x]
R3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\system32\drivers\USBAVCap.sys [2007-01-27 785408]
R3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\DRIVERS\V0250Dev.sys [2006-04-05 163840]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 268528]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 BOHCI;BOHCI; [x]
R4 BUHCI;BUHCI; [x]
R4 BUSBD;BUSBD; [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 44896]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [2010-04-03 240608]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-21 717296]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-04-24 367456]
S0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2006-08-28 8960]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-10-03 36640]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-05-11 35456]
S1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [2009-03-19 22400]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-03-09 176128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 FJVBCtrl;FJVBCtrl;c:\program files\Fujitsu\Fujitsu Hotkey Utility\FJVBCtrl.sys [2007-02-16 12848]
S2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe [2007-03-16 537520]
S2 UpdateNaviInstallService;UpdateNaviInstallService;c:\program files\Fujitsu\fjdvrupd\updnvsrv.exe [2007-01-27 11776]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-03-09 7723008]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-03-09 239616]
S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\DRIVERS\FUJ02E3.sys [2006-11-01 5632]
S3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\DRIVERS\evsbc.sys [2008-05-19 27648]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 22:00]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 22:00]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2741692578-3021297307-3845844983-1000Core.job
- c:\users\Marty\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-20 05:07]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2741692578-3021297307-3845844983-1000UA.job
- c:\users\Marty\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-20 05:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://scrim.clan.su
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Marty\AppData\Roaming\Mozilla\Firefox\Profiles\vrom0irr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 4
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-GGyfLFDEWNT.exe - c:\programdata\GGyfLFDEWNT.exe
AddRemove-BZII - d:\program files\Battlezone II\BZII.isu
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"=hex:51,66,7a,6c,4c,1d,38,12,bc,bb,81,
17,37,12,f1,04,d7,e0,fa,b1,5f,07,22,06
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:e0,24,4e,a9,17,6f,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,8a,31,f8,20,8d,26,41,a6,61,58,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,8a,31,f8,20,8d,26,41,a6,61,58,\
.
[HKEY_USERS\S-1-5-21-2741692578-3021297307-3845844983-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2741692578-3021297307-3845844983-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:23,78,ed,39,3f,05,2b,81,19,33,85,ae,84,93,03,91,c9,dc,0e,04,b9,
3d,cf,8e,95,40,e5,bf,ac,4f,df,21,37,52,49,0e,80,81,a7,cc,8c,30,3d,ec,31,59,\
"rkeysecu"=hex:25,dd,cf,da,87,c4,32,a5,86,e8,9f,11,6b,01,41,ab
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3180)
c:\users\Marty\AppData\Local\FLVService\lib\FLVSrvLib.dll
c:\program files\Softex\OmniPass\SCUREDLL.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\o2flash.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Fingerprint Sensor\ATSwpNav.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint2K\HidFind.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\msiexec.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\vssvc.exe
c:\program files\windows defender\MpCmdRun.exe
.
**************************************************************************
.
Completion time: 2011-12-09 19:31:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-10 03:31
ComboFix2.txt 2009-07-04 02:40
.
Pre-Run: 24,228,691,968 bytes free
Post-Run: 31,944,507,392 bytes free
.
- - End Of File - - 879D9F643EEE534845F80D1D0999631D





No major problems. CHKDSK program was executed by Windows after one of the reboots. ComboFix created a log and successfully self-terminated after 2nd reboot. Computer appears to be working fine now. Thanks.

If you want more details, I noted a few important events down.

#10 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 10 December 2011 - 05:04 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files\Freecorder


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   oozinator 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 30-November 11

Posted 10 December 2011 - 10:48 AM

I actually installed Freecorder in my browser toolbar to record sounds coming from my sound card. Will this script actually remove Freecorder or cause it to malfunction, or will it remove some infected agent hiding out in the Freecorder directory?

#12 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 10 December 2011 - 12:10 PM

Freecorder uses a company called Conduit to make their tool bar and Conduit has been associated with malware

it is best to remove it for now as some of our other tools may go after it anyway, reinstall back after we have finished the cleanup



gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   oozinator 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 30-November 11

Posted 10 December 2011 - 04:51 PM

Will do. Also I noticed that I am missing my Google Chrome bookmarks. Anyway I can recover them?

#14 User is offline   oozinator 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 30-November 11

Posted 10 December 2011 - 05:43 PM

ComboFix 11-12-09.04 - Marty 12/10/2011 13:57:13.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2014 [GMT -8:00]
Running from: c:\users\Marty\Desktop\ComboFix.exe
Command switches used :: c:\users\Marty\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Freecorder
c:\program files\Freecorder\Applian_Audio_Plugin.dll
c:\program files\Freecorder\audgopher.dll
c:\program files\Freecorder\audhook.dll
c:\program files\Freecorder\FCAudio.exe
c:\program files\Freecorder\FCConv.exe
c:\program files\Freecorder\FCSettings.exe
c:\program files\Freecorder\FCVideos.exe
c:\program files\Freecorder\ffmpeg.exe
c:\program files\Freecorder\FLVPlayer.exe
c:\program files\Freecorder\FLVSrvc.exe
c:\program files\Freecorder\Freecorder.xpi
c:\program files\Freecorder\freecorder_ie.exe
c:\program files\Freecorder\FreecorderToolbarHelper.exe
c:\program files\Freecorder\INSTALL.LOG
c:\program files\Freecorder\lame_enc.dll
c:\program files\Freecorder\sdl.dll
c:\program files\Freecorder\tbFree.dll
c:\program files\Freecorder\toolbar.cfg
c:\program files\Freecorder\Uninstall\IRIMG1.JPG
c:\program files\Freecorder\Uninstall\IRIMG2.JPG
c:\program files\Freecorder\Uninstall\uninstall.dat
c:\program files\Freecorder\Uninstall\uninstall.xml
c:\program files\Freecorder\UNWISE.EXE
c:\program files\Freecorder\VistaAudioLib.dll
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy6_!Windows!System32!userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
.
.
2011-12-10 22:11 . 2011-12-10 22:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-10 02:57 . 2011-12-10 02:57 -------- d-----w- C:\found.000
2011-12-10 02:49 . 2011-12-10 22:15 -------- d-----w- c:\users\Marty\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 22:12 . 2011-12-10 22:12 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0048D976-99ED-4655-B169-170CBDE37ECD}\offreg.dll
2011-12-07 05:13 . 2009-10-04 00:07 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-21 10:47 . 2011-12-10 03:27 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0048D976-99ED-4655-B169-170CBDE37ECD}\mpengine.dll
2011-09-20 21:02 . 2011-11-10 03:13 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-05-03 20:53 . 2011-03-27 05:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-06-19 05:03 . 2009-12-12 23:55 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2007-10-01 106496]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2007-10-24 2564096]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2006-11-26 260912]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2007-06-13 84784]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2006-11-13 68400]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-10 97072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-19 30192]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-26 151552]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"QuickTime Task"="c:\program files\quicktime\QTTask.exe" [2010-11-30 421888]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 336384]
"TkBellExe"="c:\program files\realplayer\update\realsched.exe" [2011-06-18 273544]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-06-10 231888]
.
c:\users\Marty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MaxTV.lnk - c:\program files\DMV\MaxTV4\maxtv.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\L:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 avplol;avplol;c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avplol.exe [2009-02-10 206088]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9cdccdd4e72c8;Google Update Service (gupdate1c9cdccdd4e72c8);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 133104]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\DRIVERS\evserial.sys [2008-05-19 55808]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-19 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 133104]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [x]
R3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\system32\drivers\USBAVCap.sys [2007-01-27 785408]
R3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\DRIVERS\V0250Dev.sys [2006-04-05 163840]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 268528]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 BOHCI;BOHCI; [x]
R4 BUHCI;BUHCI; [x]
R4 BUSBD;BUSBD; [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 44896]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [2010-04-03 240608]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-21 717296]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-04-24 367456]
S0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2006-08-28 8960]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-10-03 36640]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-05-11 35456]
S1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [2009-03-19 22400]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-03-09 176128]
S2 FJVBCtrl;FJVBCtrl;c:\program files\Fujitsu\Fujitsu Hotkey Utility\FJVBCtrl.sys [2007-02-16 12848]
S2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe [2007-03-16 537520]
S2 UpdateNaviInstallService;UpdateNaviInstallService;c:\program files\Fujitsu\fjdvrupd\updnvsrv.exe [2007-01-27 11776]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-03-09 7723008]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-03-09 239616]
S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\DRIVERS\FUJ02E3.sys [2006-11-01 5632]
S3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\DRIVERS\evsbc.sys [2008-05-19 27648]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 22:00]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 22:00]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2741692578-3021297307-3845844983-1000Core.job
- c:\users\Marty\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-20 05:07]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2741692578-3021297307-3845844983-1000UA.job
- c:\users\Marty\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-20 05:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://scrim.clan.su
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Marty\AppData\Roaming\Mozilla\Firefox\Profiles\vrom0irr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 4
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\tbFree.dll
BHO-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\tbFree.dll
Toolbar-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\tbFree.dll
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - c:\program files\Freecorder\tbFree.dll
HKLM-Run-Freecorder FLV Service - c:\program files\Freecorder\FLVSrvc.exe
AddRemove-Freecorder Toolbar - c:\progra~1\FREECO~1\UNWISE.EXE
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"=hex:51,66,7a,6c,4c,1d,38,12,bc,bb,81,
17,37,12,f1,04,d7,e0,fa,b1,5f,07,22,06
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:e0,24,4e,a9,17,6f,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,8a,31,f8,20,8d,26,41,a6,61,58,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,8a,31,f8,20,8d,26,41,a6,61,58,\
.
[HKEY_USERS\S-1-5-21-2741692578-3021297307-3845844983-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2741692578-3021297307-3845844983-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:23,78,ed,39,3f,05,2b,81,19,33,85,ae,84,93,03,91,c9,dc,0e,04,b9,
3d,cf,8e,95,40,e5,bf,ac,4f,df,21,37,52,49,0e,80,81,a7,cc,8c,30,3d,ec,31,59,\
"rkeysecu"=hex:25,dd,cf,da,87,c4,32,a5,86,e8,9f,11,6b,01,41,ab
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3644)
c:\program files\Softex\OmniPass\SCUREDLL.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\o2flash.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Fingerprint Sensor\ATSwpNav.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\HidFind.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2011-12-10 14:38:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-10 22:37
ComboFix2.txt 2011-12-10 03:31
ComboFix3.txt 2009-07-04 02:40
.
Pre-Run: 31,614,291,968 bytes free
Post-Run: 31,561,752,576 bytes free
.
- - End Of File - - 5D2DEF6310DDE718DB4783B8BEBFF733


Computer is working fine. No noticeable performance change from the previous state.

This post has been edited by oozinator: 10 December 2011 - 05:43 PM

#15 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 10 December 2011 - 09:49 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.




These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 9.4.1

    and click on remove


Update Adobe Reader

    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

      If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.



Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

    In your next post I need the following

    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users