Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware or Trojan?


  • Please log in to reply
27 replies to this topic

#16 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:10 AM

Posted 05 April 2009 - 11:24 AM

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

BC AdBot (Login to Remove)

 


#17 Nile

Nile
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 05 April 2009 - 11:26 AM

Can you please tell me how to disable AVG, TrendMicro, and Avast please.

#18 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:10 AM

Posted 05 April 2009 - 11:33 AM

First you need ti uninstall all of those but 1.
All of these together will cause major slowdowns of the system and cause false positives.

Let me know which one you keep then I will tell you how to disable it.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#19 Nile

Nile
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 05 April 2009 - 01:06 PM

I have uninstalled Avast! and TrendMicro. How do I disabled AVG?


Thanks for all your help!

#20 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:10 AM

Posted 05 April 2009 - 01:28 PM

Hi you are welcome.
See the below link for instructions.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#21 Nile

Nile
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 05 April 2009 - 03:40 PM

Log:

ComboFix 09-04-04.01 - Jeremy 2009-04-05 15:13:54.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1067 [GMT -5:00]
Running from: c:\users\Jeremy\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\xpysys.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-05 12:58 . 2009-04-05 12:58 <DIR> d-------- c:\users\Jay Oh Eea El\AppData\Roaming\Subversion
2009-04-05 12:54 . 2009-04-05 12:54 <DIR> d--hs---- C:\found.001
2009-04-04 20:43 . 2009-04-04 21:34 <DIR> d-------- c:\users\Jeremy\AppData\Roaming\Facebook
2009-03-25 16:33 . 2009-03-25 21:23 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-16 18:25 . 2009-03-19 07:28 220,088,911 --a------ c:\windows\MEMORY.DMP
2009-03-10 20:12 . 2008-12-15 22:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 20:12 . 2009-02-08 22:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-10 20:12 . 2008-11-26 23:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 20:12 . 2008-12-16 00:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 20:12 . 2008-12-16 00:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 20:12 . 2008-12-16 00:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 16:05 --------- d-----w c:\users\Jeremy\AppData\Roaming\localhostr uploadr
2009-03-31 02:54 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-26 02:31 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-26 01:57 --------- d-----w c:\programdata\way rdr ford mpeg
2009-03-26 01:57 --------- d-----w c:\programdata\htmblah
2009-03-11 08:07 --------- d-----w c:\program files\Windows Mail
2009-03-03 02:10 --------- d-----w c:\users\Jeremy\AppData\Roaming\U3
2009-02-27 12:51 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-19 04:41 --------- d-----w c:\program files\OpenOffice.org 3
2009-02-19 04:41 --------- d-----w c:\program files\JRE
2009-02-17 13:00 --------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-02-17 12:58 --------- d-----w c:\users\Jeremy\AppData\Roaming\SUPERAntiSpyware.com
2009-02-17 12:57 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-16 21:36 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-16 15:33 --------- d-----w c:\users\Jeremy\AppData\Roaming\Malwarebytes
2009-02-16 15:33 --------- d-----w c:\programdata\Malwarebytes
2009-02-16 14:49 --------- d-----w c:\program files\Enigma Software Group
2009-02-16 04:31 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-16 04:31 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-16 04:31 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-02-16 04:31 --------- d-----w c:\programdata\avg8
2009-02-16 04:31 --------- d-----w c:\program files\AVG
2009-02-15 23:19 --------- d-----w c:\program files\Alwil Software
2009-02-12 02:48 --------- d-----w c:\program files\CrossLoop
2009-02-12 00:28 --------- d-----w c:\program files\CoffeeCup Software
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 00:52 49,504 ----a-w c:\windows\System32\sirenacm.dll
2009-02-06 00:53 --------- d-----w c:\users\Jeremy\AppData\Roaming\CoffeeCup Software
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-08 23:14 2,392 ----a-w c:\users\Jeremy\AppData\Roaming\wklnhst.dat
2008-12-05 01:08 174 --sha-w c:\program files\desktop.ini
2008-04-25 00:38 60,968 ----a-w c:\users\Jeremy\GoToAssistDownloadHelper.exe
2008-12-12 21:30 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartBind"="c:\programdata\acidownsowns.kw4b0" [X]
"Ford mpeg road draw"="c:\programdata\support dog bend.ondep" [X]
"RunSpySweeperScheduleAtStartup"="c:\windows\system32\msfeedssync.exe" [2008-01-19 12800]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Google Update"="c:\users\Jeremy\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-07 133104]
"googletalk"="c:\users\Jeremy\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-12 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-15 1601304]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{12CBDC2C-E562-4C94-BDAD-9D0097078A34}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{00AEB91E-2ABF-4A35-B84E-8D371EA8145F}c:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= UDP:c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe:Apache HTTP Server
"UDP Query User{754D2A52-27C4-40B2-9E35-502DF5DB3784}c:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= TCP:c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe:Apache HTTP Server
"{EA3DA47C-DBC2-49D1-B924-64F99ABC2F5E}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{C82E9A83-8218-4EC6-AD0C-95C94F2ADF0D}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{4D12AB88-BBA3-4C40-B6ED-DC939B6F802F}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{33067AEB-3243-4089-96A7-383718C56FEB}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{2B59E7B2-0A55-4CAB-A47E-EC36E7E59968}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DBBE36E0-8358-4462-9CCB-343F581580AD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D9843FE6-2EC1-4FE2-9FEF-605248BA161D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{63F0B952-A619-4E7E-A34C-D4B567252857}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B380842E-7FF7-489B-A554-08BF17E6E687}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{56F3C9B7-AC3A-4D19-9F90-F25A4BE92C6A}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{5748A58D-501D-453F-BFAD-BD26E7EDA6BD}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{A5B0775A-DFB6-4979-9D27-A53524DB227D}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{A3CA8485-3BDB-4C65-A3DC-EEC5ABB6D846}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{C1166965-26BB-463A-9341-476C028C425B}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{CCFBB364-B7B1-46C1-A271-4F7EDCC572E9}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{A2A4704E-A168-4F82-A079-553736208A19}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{54C9072B-F599-4B6B-8CA4-5CB89F2E8CB3}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{C358C8C6-76D4-43EB-A607-A4C486ADE50B}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"UDP Query User{EDDF89C8-A7F5-4DAF-9834-A5A11586E45F}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"TCP Query User{C898073B-08A8-4D11-8F64-46C81A167D3D}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{07D1B42E-67A1-4697-8CF6-45F6268E85E4}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"TCP Query User{A98EA750-2855-44AB-9963-C6030F50D958}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{F0085180-D7AD-464B-9D64-0AD2FC0B2B5B}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{1D8EB479-2A70-4868-A9FF-F7D0B628C293}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"UDP Query User{11BF29D0-B935-42EC-81D0-05FE3E1CCB1B}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"{CF3140EC-9E00-435B-851E-7DCEC2795894}"= UDP:c:\users\Jeremy\AppData\Roaming\Facebook\facebook.exe:Facebook
"{8DA6140E-0217-4FB5-9FEB-7D43405B5250}"= TCP:c:\users\Jeremy\AppData\Roaming\Facebook\facebook.exe:Facebook

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-15 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [2007-12-05 77824]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-15 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-15 24652]
R3 bbcap;bbcap;c:\windows\System32\drivers\bbcap.sys [2008-04-22 4096]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-04-14 29744]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\System32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cb5dbda-6c02-11dd-bea2-001d09912c5d}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90f3ed20-0695-11de-b08d-9abc6d39b782}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-562487796-3096848044-3928850087-1000.job
- c:\users\Jeremy\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-07 12:33]

2009-04-05 c:\windows\Tasks\User_Feed_Synchronization-{C9004FF9-F3FF-452A-B1E0-AFCE242B2235}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
- - - - ORPHANS REMOVED - - - -

Notify-GoToAssist - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\g1cjesp9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Jeremy\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 15:17:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-05 15:20:31
ComboFix-quarantined-files.txt 2009-04-05 20:20:28

Pre-Run: 235,818,524,672 bytes free
Post-Run: 235,970,494,464 bytes free

229 --- E O F --- 2009-04-02 23:49:59



#22 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:10 AM

Posted 05 April 2009 - 05:45 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\programdata\acidownsowns.kw4b0
c:\programdata\support dog bend.ondep

Folder::
c:\users\Jeremy\AppData\Roaming\Facebook
c:\programdata\acidownsowns.kw4b0
c:\programdata\support dog bend.ondep


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartBind"=-
"Ford mpeg road draw"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CF3140EC-9E00-435B-851E-7DCEC2795894}"=-
"{8DA6140E-0217-4FB5-9FEB-7D43405B5250}"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report into your next reply:
Combofix.txt .
=============
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#23 Nile

Nile
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 05 April 2009 - 05:57 PM

Here:

ComboFix 09-04-04.01 - Jeremy 2009-04-05 17:50:13.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.840 [GMT -5:00]
Running from: c:\users\Jeremy\Downloads\ComboFix.exe
Command switches used :: c:\wamp\www\testing_dir\24\CFScript.txt
* Created a new restore point

FILE ::
c:\programdata\acidownsowns.kw4b0
c:\programdata\support dog bend.ondep
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\acidownsowns.kw4b0
c:\programdata\support dog bend.ondep
c:\users\Jeremy\AppData\Roaming\Facebook
c:\users\Jeremy\AppData\Roaming\Facebook\_ctypes.pyd
c:\users\Jeremy\AppData\Roaming\Facebook\_socket.pyd
c:\users\Jeremy\AppData\Roaming\Facebook\facebook.exe
c:\users\Jeremy\AppData\Roaming\Facebook\facebook.exe.log
c:\users\Jeremy\AppData\Roaming\Facebook\MSVCR71.dll
c:\users\Jeremy\AppData\Roaming\Facebook\python25.dll
c:\users\Jeremy\AppData\Roaming\Facebook\pythoncom25.dll
c:\users\Jeremy\AppData\Roaming\Facebook\pywintypes25.dll
c:\users\Jeremy\AppData\Roaming\Facebook\shell.pyd
c:\users\Jeremy\AppData\Roaming\Facebook\win32api.pyd

.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-05 12:58 . 2009-04-05 12:58 <DIR> d-------- c:\users\Jay Oh Eea El\AppData\Roaming\Subversion
2009-04-05 12:54 . 2009-04-05 12:54 <DIR> d--hs---- C:\found.001
2009-03-25 16:33 . 2009-03-25 21:23 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-16 18:25 . 2009-03-19 07:28 220,088,911 --a------ c:\windows\MEMORY.DMP
2009-03-10 20:12 . 2008-12-15 22:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 20:12 . 2009-02-08 22:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-10 20:12 . 2008-11-26 23:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 20:12 . 2008-12-16 00:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 20:12 . 2008-12-16 00:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 20:12 . 2008-12-16 00:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 16:05 --------- d-----w c:\users\Jeremy\AppData\Roaming\localhostr uploadr
2009-03-31 02:54 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-26 02:31 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-26 01:57 --------- d-----w c:\programdata\way rdr ford mpeg
2009-03-26 01:57 --------- d-----w c:\programdata\htmblah
2009-03-11 08:07 --------- d-----w c:\program files\Windows Mail
2009-03-03 02:10 --------- d-----w c:\users\Jeremy\AppData\Roaming\U3
2009-02-27 12:51 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-19 04:41 --------- d-----w c:\program files\OpenOffice.org 3
2009-02-19 04:41 --------- d-----w c:\program files\JRE
2009-02-17 13:00 --------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-02-17 12:58 --------- d-----w c:\users\Jeremy\AppData\Roaming\SUPERAntiSpyware.com
2009-02-17 12:57 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-16 21:36 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-16 15:33 --------- d-----w c:\users\Jeremy\AppData\Roaming\Malwarebytes
2009-02-16 15:33 --------- d-----w c:\programdata\Malwarebytes
2009-02-16 14:49 --------- d-----w c:\program files\Enigma Software Group
2009-02-16 04:31 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-16 04:31 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-16 04:31 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-02-16 04:31 --------- d-----w c:\programdata\avg8
2009-02-16 04:31 --------- d-----w c:\program files\AVG
2009-02-15 23:19 --------- d-----w c:\program files\Alwil Software
2009-02-12 02:48 --------- d-----w c:\program files\CrossLoop
2009-02-12 00:28 --------- d-----w c:\program files\CoffeeCup Software
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 00:52 49,504 ----a-w c:\windows\System32\sirenacm.dll
2009-02-06 00:53 --------- d-----w c:\users\Jeremy\AppData\Roaming\CoffeeCup Software
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-08 23:14 2,392 ----a-w c:\users\Jeremy\AppData\Roaming\wklnhst.dat
2008-12-05 01:08 174 --sha-w c:\program files\desktop.ini
2008-04-25 00:38 60,968 ----a-w c:\users\Jeremy\GoToAssistDownloadHelper.exe
2008-12-12 21:30 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-05_15.18.25.69 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-05 17:57:33 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-04-05 20:17:53 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 18:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RunSpySweeperScheduleAtStartup"="c:\windows\system32\msfeedssync.exe" [2008-01-19 12800]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Google Update"="c:\users\Jeremy\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-07 133104]
"googletalk"="c:\users\Jeremy\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-12 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-15 1601304]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{12CBDC2C-E562-4C94-BDAD-9D0097078A34}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{00AEB91E-2ABF-4A35-B84E-8D371EA8145F}c:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= UDP:c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe:Apache HTTP Server
"UDP Query User{754D2A52-27C4-40B2-9E35-502DF5DB3784}c:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= TCP:c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe:Apache HTTP Server
"{EA3DA47C-DBC2-49D1-B924-64F99ABC2F5E}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{C82E9A83-8218-4EC6-AD0C-95C94F2ADF0D}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{4D12AB88-BBA3-4C40-B6ED-DC939B6F802F}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{33067AEB-3243-4089-96A7-383718C56FEB}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{2B59E7B2-0A55-4CAB-A47E-EC36E7E59968}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DBBE36E0-8358-4462-9CCB-343F581580AD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D9843FE6-2EC1-4FE2-9FEF-605248BA161D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{63F0B952-A619-4E7E-A34C-D4B567252857}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B380842E-7FF7-489B-A554-08BF17E6E687}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{56F3C9B7-AC3A-4D19-9F90-F25A4BE92C6A}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{5748A58D-501D-453F-BFAD-BD26E7EDA6BD}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{A5B0775A-DFB6-4979-9D27-A53524DB227D}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{A3CA8485-3BDB-4C65-A3DC-EEC5ABB6D846}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{C1166965-26BB-463A-9341-476C028C425B}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{CCFBB364-B7B1-46C1-A271-4F7EDCC572E9}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{A2A4704E-A168-4F82-A079-553736208A19}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{54C9072B-F599-4B6B-8CA4-5CB89F2E8CB3}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{C358C8C6-76D4-43EB-A607-A4C486ADE50B}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"UDP Query User{EDDF89C8-A7F5-4DAF-9834-A5A11586E45F}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"TCP Query User{C898073B-08A8-4D11-8F64-46C81A167D3D}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{07D1B42E-67A1-4697-8CF6-45F6268E85E4}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"TCP Query User{A98EA750-2855-44AB-9963-C6030F50D958}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{F0085180-D7AD-464B-9D64-0AD2FC0B2B5B}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{1D8EB479-2A70-4868-A9FF-F7D0B628C293}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"UDP Query User{11BF29D0-B935-42EC-81D0-05FE3E1CCB1B}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-15 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [2007-12-05 77824]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-15 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-15 24652]
R3 bbcap;bbcap;c:\windows\System32\drivers\bbcap.sys [2008-04-22 4096]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-04-14 29744]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\System32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cb5dbda-6c02-11dd-bea2-001d09912c5d}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90f3ed20-0695-11de-b08d-9abc6d39b782}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-562487796-3096848044-3928850087-1000.job
- c:\users\Jeremy\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-07 12:33]

2009-04-05 c:\windows\Tasks\User_Feed_Synchronization-{C9004FF9-F3FF-452A-B1E0-AFCE242B2235}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\g1cjesp9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Jeremy\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 17:53:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-05 17:55:39
ComboFix-quarantined-files.txt 2009-04-05 22:55:36
ComboFix2.txt 2009-04-05 20:20:32

Pre-Run: 236,537,229,312 bytes free
Post-Run: 236,503,134,208 bytes free

246 --- E O F --- 2009-04-02 23:49:59



#24 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:10 AM

Posted 06 April 2009 - 07:21 AM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#25 Nile

Nile
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 06 April 2009 - 08:33 AM

I have mbam already, I don't want to do the directions above unless you say its OK.

#26 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:10 AM

Posted 07 April 2009 - 06:26 AM

If you already have it then just update it and run a full scan with it and remove what it finds then post the log here.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#27 Nile

Nile
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 10 April 2009 - 03:01 PM

Found nothing.


Malwarebytes' Anti-Malware 1.36
Database version: 1959
Windows 6.0.6001 Service Pack 1

4/10/2009 2:59:53 Evening
mbam-log-2009-04-10 (14-59-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 258450
Time elapsed: 2 hour(s), 59 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#28 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:10 AM

Posted 10 April 2009 - 06:40 PM

Looks good how are things running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users