Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My browser is being shut down when I google "combofix"


  • This topic is locked This topic is locked
11 replies to this topic

#1 jennbryn

jennbryn

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 25 March 2009 - 05:06 PM

I am running Windows XP with SP3. I noticed this morning that in FF3, my google results were redirected a few times to spam shopping sites. Then it started showing a blank page when I clicked any result in google. Then that seemed to stop, and I started googling about redirects. I found when I tried to go to a bleepingcomputer.com result in google, my browser would close by itself in both FF and Chrome.


I downloaded MalwareBytes and managed to run it after changing the name of the program (it wouldn't run otherwise.) It found one thing that seemed bad--this is copied from the Log:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.

Not sure why the log says "no action taken", I did ask MalwareBytes to delete.
There is clearly still a problem-- I just entered "combofix" into google in FF, hit enter, and my browser shut down.

I am running Symantec Corporate Edition, supposed to scan in the background. I am running a GMER scan right now as well.

Edited to add:
My wireless network connection seems to be broken now--I tried to enable it, it told me "connection failed" and then when I tried to enable the Ethernet, the wireless network connection deleted itself.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Lisa Ord at 14:46:56.11 on Wed 03/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.229 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gizmo5\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozy\mozybackup.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\ANALOG CLOCK\ANALOGCLOCK.EXE
C:\Documents and Settings\Lisa Ord\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Mozy\mozystat.exe
C:\PROGRAM FILES\DROPBOX\DROPBOX.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lisa Ord\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = proxy.utah.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnalogClock] c:\program files\analog clock\ANALOGCLOCK.EXE
uRun: [Semagic] c:\program files\semagic\LiveJournalU.exe
uRun: [F.lux] "c:\documents and settings\lisa ord\local settings\apps\f.lux\flux.exe" /noshow
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [POINTER] point32.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [WinPatrol] c:\program files\winpatrol\winpatrol.exe -expressboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozy\mozystat.exe
uPolicies-explorer: NoLogoff = 01000000
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
Trusted Zone: kexp.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lisaor~1\applic~1\mozilla\firefox\profiles\w7t5ajeh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.wrh.noaa.gov/images/slc/camera/latest/olympuscove.latest.jpg
FF - component: c:\documents and settings\lisa ord\application data\mozilla\firefox\profiles\w7t5ajeh.default\extensions\{3502a070-ea2f-11dd-ba2f-0800200c9a66}\components\mintray-9178506d-2005072516-trunk.dll
FF - plugin: c:\documents and settings\lisa ord\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2008-2-1 53752]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-2-4 58856]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-2-4 69608]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090320.003\NAVENG.sys [2009-3-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090320.003\NAVEX15.sys [2009-3-20 876144]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [2004-2-19 15104]
S3 CA504AV;Mega Camera, WDM Video Capture;c:\windows\system32\drivers\ca504av.sys [2008-5-4 517941]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2004-1-16 14095]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2007-11-27 26304]
S3 PCIUtil;PCI Utility;\??\c:\docume~1\lisaor~1\locals~1\temp\pciutil.sys --> c:\docume~1\lisaor~1\locals~1\temp\PCIUtil.sys [?]
S3 Sunplus;Mega Camera Still Image Capture, Sunplus Version 1.00;c:\windows\system32\drivers\Bulk504.sys [2008-5-4 10952]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-03-25 11:37 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-25 11:37 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-25 11:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-25 11:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 09:54 <DIR> --d----- c:\docume~1\lisaor~1\applic~1\Malwarebytes
2009-03-24 19:11 <DIR> --d----- c:\docume~1\lisaor~1\applic~1\IObit
2009-03-24 19:11 <DIR> --d----- c:\program files\Advanced SystemCare 3
2009-03-08 08:26 <DIR> --d----- c:\program files\PDF995

==================== Find3M ====================

2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-16 22:09 12,089 ac------ c:\windows\mozver.dat
2009-01-08 19:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-05 16:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-03-30 18:16 424,960 a------- c:\program files\AutoRebootSetter_Free.exe
2008-03-30 18:13 435,200 a------- c:\program files\BalloonRemover.exe
2007-07-07 08:07 812,544 a------- c:\program files\DoubleKiller.exe
2006-07-07 07:43 812,631 ac------ c:\program files\Semagic.exe
2005-02-23 11:38 173,513,447 ac------ c:\program files\Acrobat_Standard_70.zip
2004-11-05 17:31 7,594,798 ac------ c:\program files\vpnclient-win-4.exe
2004-06-20 16:40 1,550 a------- c:\program files\DesignPro.lnk
1999-05-07 05:22 8,944 a------- c:\windows\inf\USBSCAN.SYS
1998-05-15 00:00 73,184 a------- c:\program files\common files\dao2535.tlb
1998-04-27 00:00 570,128 a------- c:\program files\common files\Dao350.dll
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 14:48:00.41 ===============

Attached Files


Edited by jennbryn, 26 March 2009 - 08:33 AM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:12 PM

Posted 04 April 2009 - 04:57 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 jennbryn

jennbryn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 08 April 2009 - 07:56 PM

Hello, thanks so much and sorry I didn't get back to you sooner--I really appreciate the help.

My computer was redirecting google results and when I googled "combofix" the browser (Chrome and FF) would close. I was able to run Malwarebytes after renaming the program. At first it didn't seem to have helped, but after rebooting my computer, I was able to browse normally--there are no strange redirects (although I was not able to access dds.com).

I updated my Adobe acrobat to 7.1 and updated Java from 11 to 13 after reading about the security issues with them. I did a scan with windows defender because they supposedly could fix the Adobe bug--did find some things and deleted them. Also did a scan with Kaspersky, I can't remember now if that was before or after running windows defender but it came back clean. After that I installed Avira and did a full scan, it came back clean.

Right now, the only strange thing going on is .png files that show up in a program, and then seem to go to my recycle bin automatically. They are yahoo.png, AIM.png, and other similar icons in a Gizmo5 application folder. They seem to appear when I load Gizmo5, and then a few days later they show up in the recycle bin. Right now my recycle bin is full of them.

Thanks a lot--I have some sensitive data for my business, just want to be sure I have really gotten rid of this.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Lisa Ord at 18:30:56.15 on Wed 04/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.162 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Gizmo5\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozy\mozybackup.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\ANALOG CLOCK\ANALOGCLOCK.EXE
C:\Documents and Settings\Lisa Ord\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\PROGRAM FILES\DROPBOX\DROPBOX.EXE
C:\PROGRAM FILES\MOZY\MOZYSTAT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Semagic\LiveJournalU.exe
C:\PROGRA~1\Gizmo5\Gizmo5.exe
C:\Documents and Settings\Lisa Ord\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Lisa Ord\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Lisa Ord\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = proxy.utah.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnalogClock] c:\program files\analog clock\ANALOGCLOCK.EXE
uRun: [Semagic] c:\program files\semagic\LiveJournalU.exe
uRun: [F.lux] "c:\documents and settings\lisa ord\local settings\apps\f.lux\flux.exe" /noshow
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
mRun: [POINTER] point32.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [WinPatrol] c:\program files\winpatrol\winpatrol.exe -expressboot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
uPolicies-explorer: NoLogoff = 01000000
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
Trusted Zone: kexp.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lisaor~1\applic~1\mozilla\firefox\profiles\w7t5ajeh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.wrh.noaa.gov/images/slc/camera/latest/olympuscove.latest.jpg
FF - component: c:\documents and settings\lisa ord\application

data\mozilla\firefox\profiles\w7t5ajeh.default\extensions\{3502a070-ea2f-11dd-ba2f-0800200c9a66}\components\mintray-9178506d-2005072516-trunk.dll
FF - plugin: c:\documents and settings\lisa ord\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-30 11608]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2008-2-1 53752]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-2-4 58856]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-2-4 69608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-30 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-30 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-30 55640]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [2004-2-19 15104]
S3 CA504AV;Mega Camera, WDM Video Capture;c:\windows\system32\drivers\ca504av.sys [2008-5-4 517941]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2004-1-16 14095]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2007-11-27 26304]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090327.005\NAVENG.sys [2009-3-27 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090327.005\NAVEX15.sys [2009-3-27 876144]
S3 PCIUtil;PCI Utility;\??\c:\docume~1\lisaor~1\locals~1\temp\pciutil.sys --> c:\docume~1\lisaor~1\locals~1\temp\PCIUtil.sys [?]
S3 Sunplus;Mega Camera Still Image Capture, Sunplus Version 1.00;c:\windows\system32\drivers\Bulk504.sys [2008-5-4 10952]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-03-30 07:29 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-03-30 07:29 <DIR> --d----- c:\program files\Avira
2009-03-30 07:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-27 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-03-27 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro 3
2009-03-26 14:35 409,618 a------- c:\windows\pfirewall.log.old
2009-03-25 11:37 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-25 11:37 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-25 11:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-25 11:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 09:54 <DIR> --d----- c:\docume~1\lisaor~1\applic~1\Malwarebytes
2009-03-24 19:11 <DIR> --d----- c:\docume~1\lisaor~1\applic~1\IObit

==================== Find3M ====================

2009-04-05 09:11 249,856 a------- c:\windows\system32\pdfmona.dll
2009-04-05 09:11 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-16 22:09 12,089 ac------ c:\windows\mozver.dat
2008-03-30 18:16 424,960 a------- c:\program files\AutoRebootSetter_Free.exe
2008-03-30 18:13 435,200 a------- c:\program files\BalloonRemover.exe
2007-07-07 08:07 812,544 a------- c:\program files\DoubleKiller.exe
2006-07-07 07:43 812,631 ac------ c:\program files\Semagic.exe
2005-02-23 11:38 173,513,447 ac------ c:\program files\Acrobat_Standard_70.zip
2004-11-05 17:31 7,594,798 ac------ c:\program files\vpnclient-win-4.exe
2004-06-20 16:40 1,550 a------- c:\program files\DesignPro.lnk
1999-05-07 05:22 8,944 a------- c:\windows\inf\USBSCAN.SYS
1998-05-15 00:00 73,184 a------- c:\program files\common files\dao2535.tlb
1998-04-27 00:00 570,128 a------- c:\program files\common files\Dao350.dll
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 18:32:54.46 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 09 April 2009 - 04:15 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If ComboFix will not run when you double click it, delete that copy. Then download a new copy, and save it as ComboFix123.exe in the Save as window.

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 jennbryn

jennbryn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 09 April 2009 - 11:11 PM

Hello Panda, thanks so much for your help!

I ran both Combofix and Gmer and attached the logs. Combofix ran through, at the end it said it would open a log file. The log file it opened automatically (log.txt) was empty. However I have attached the one that was at c:/combofix.txt.

After that the desktop icons and taskbar did not come back up. So I went to task manager and rebooted. Everything seemed to start normally.

I started running Gmer and realized I had not turned off Trusteer Rapport (I turned off my a/v and winpatrol) when I ran the scans, and this may have interfered with Combofix.

(The day I noticed the strange google redirects, when I first posted on this forum, I had just disabled Rapport because things seemed slow. It has been running on my computer for a few months. I re-enabled it after seeing that something was messing with my browser. Could re-enabling it be the reason my browser and google seemed to go back to normal?)

Should I disable Rapport and re-run Combofix?





ComboFix 09-04-04.01 - Lisa Ord 2009-04-09 19:09:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.233 [GMT -6:00]
Running from: c:\documents and settings\Lisa Ord\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-03-30 07:29 . 2009-03-30 07:29 <DIR> d-------- c:\program files\Avira
2009-03-30 07:29 . 2009-03-30 07:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-30 07:29 . 2009-02-13 11:31 55,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgntflt.sys
2009-03-27 19:11 . 2009-03-27 19:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hitman Pro 3
2009-03-27 19:11 . 2009-03-27 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-03-27 08:15 . 2009-03-27 08:27 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-26 14:35 . 2009-04-09 10:41 409,770 --a------ c:\windows\pfirewall.log.old
2009-03-25 11:37 . 2009-03-30 07:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 11:37 . 2009-03-25 11:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 11:37 . 2009-03-26 16:49 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-25 11:37 . 2009-03-26 16:49 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-25 09:54 . 2009-03-25 09:54 <DIR> d-------- c:\documents and settings\Lisa Ord\Application Data\Malwarebytes
2009-03-24 19:11 . 2009-03-24 19:22 <DIR> d-------- c:\documents and settings\Lisa Ord\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 00:54 --------- d-----w c:\documents and settings\Lisa Ord\Application Data\Gizmo5
2009-04-09 15:47 --------- d-----w c:\documents and settings\Lisa Ord\Application Data\Dropbox
2009-04-09 15:36 --------- d-----w c:\documents and settings\Lisa Ord\Application Data\TaxCut
2009-04-09 15:35 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-04-06 13:52 --------- d-----w c:\program files\Semagic
2009-04-05 15:11 51,716 ----a-w c:\windows\SYSTEM32\pdf995mon.dll
2009-04-05 15:11 249,856 ----a-w c:\windows\SYSTEM32\pdfmona.dll
2009-04-05 15:11 --------- d-----w c:\program files\PDF995
2009-04-05 13:50 --------- d-----w c:\program files\TaxCut
2009-03-31 15:34 --------- d-----w c:\program files\Dropbox
2009-03-29 15:59 --------- d-----w c:\documents and settings\Lisa Ord\Application Data\gtk-2.0
2009-03-27 19:47 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-27 19:45 --------- d-----w c:\program files\Common Files\Adobe
2009-03-27 19:40 --------- d-----w c:\program files\Java
2009-03-25 02:26 --------- d-----w c:\program files\Security Process Explorer
2009-03-25 01:34 --------- d-----w c:\program files\Logitech
2009-03-25 01:34 --------- d-----w c:\program files\games
2009-03-16 23:04 --------- d-----w c:\program files\Gizmo5
2009-03-09 11:19 410,984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-08 14:24 --------- d-----w c:\documents and settings\All Users\Application Data\TaxCut
2009-03-04 04:19 --------- d-----w c:\program files\Google
2009-02-14 04:04 --------- d-----w c:\program files\Mozy
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-01-17 04:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-03-31 00:16 424,960 ----a-w c:\program files\AutoRebootSetter_Free.exe
2008-03-31 00:13 435,200 ----a-w c:\program files\BalloonRemover.exe
2007-07-07 14:07 812,544 ----a-w c:\program files\DoubleKiller.exe
2006-07-07 13:43 812,631 -c--a-w c:\program files\Semagic.exe
2005-02-23 17:38 173,513,447 -c--a-w c:\program files\Acrobat_Standard_70.zip
2004-11-05 23:31 7,594,798 -c--a-w c:\program files\vpnclient-win-4.exe
2004-06-20 22:40 1,550 ----a-w c:\program files\DesignPro.lnk
1999-05-07 11:22 8,944 ----a-w c:\windows\INF\USBSCAN.SYS
1998-05-15 06:00 73,184 ----a-w c:\program files\Common Files\dao2535.tlb
1998-04-27 06:00 570,128 ----a-w c:\program files\Common Files\Dao350.dll
2008-09-24 22:25 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
2008-09-24 22:25 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat
2008-09-24 22:25 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-01-30 15:05 2788152 --a------ c:\program files\Mozy\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-01-30 15:05 2788152 --a------ c:\program files\Mozy\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AnalogClock"="c:\program files\ANALOG CLOCK\ANALOGCLOCK.EXE" [2005-11-05 480256]
"Semagic"="c:\program files\Semagic\LiveJournalU.exe" [2008-07-27 2383952]
"F.lux"="c:\documents and settings\Lisa Ord\Local Settings\Apps\F.lux\flux.exe" [2009-02-24 962560]
"Rapportexe"="c:\program files\Trusteer\Rapport\bin\RapportService.exe" [2009-01-25 988392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"WinPatrol"="c:\program files\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gizmo5\\Gizmo5.exe"=

R1 mozyFilter;mozyFilter;c:\windows\SYSTEM32\DRIVERS\mozy.sys [2008-02-01 53752]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2009-02-04 58856]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2009-02-04 69608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-30 108289]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [2004-02-19 15104]
S3 CA504AV;Mega Camera, WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\ca504av.sys [2008-05-04 517941]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\LCcfltr.sys [2004-01-16 14095]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2007-11-27 26304]
S3 PCIUtil;PCI Utility;\??\c:\docume~1\LISAOR~1\LOCALS~1\Temp\PCIUtil.sys --> c:\docume~1\LISAOR~1\LOCALS~1\Temp\PCIUtil.sys [?]
S3 Sunplus;Mega Camera Still Image Capture, Sunplus Version 1.00;c:\windows\SYSTEM32\DRIVERS\Bulk504.sys [2008-05-04 10952]
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\Gizmo5.job
- c:\progra~1\Gizmo5\Gizmo5.exe [2009-03-06 13:26]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-POINTER - point32.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = proxy.utah.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: kexp.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lisa Ord\Application Data\Mozilla\Firefox\Profiles\w7t5ajeh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.wrh.noaa.gov/images/slc/camera/latest/olympuscove.latest.jpg
FF - component: c:\documents and settings\Lisa Ord\Application Data\Mozilla\Firefox\Profiles\w7t5ajeh.default\extensions\{3502a070-ea2f-11dd-ba2f-0800200c9a66}\components\mintray-9178506d-2005072516-trunk.dll
FF - plugin: c:\documents and settings\Lisa Ord\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 19:11:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-09 19:15:35
ComboFix-quarantined-files.txt 2009-04-10 01:14:41

Pre-Run: 12,357,169,152 bytes free
Post-Run: 12,489,482,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

187 --- E O F --- 2009-03-14 22:55:02







GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-09 21:47:59
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x31 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys (RapportKELL/Trusteer Ltd.) F8AB93D0

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xF8AA4B12]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xF8AA52C4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateThread [0xF8AA83A2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xF8AA541E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xF8AA5378]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xF8AA4F18]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xF8AA58FA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xF8AA7BC6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xF8AA4AC0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xF8AA548C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xF8AA4A6E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xF8AA4A1C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwWriteVirtualMemory [0xF8AA8406]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat B0EBFD20

AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2780] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2780] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2780] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2780] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes

SSDT F8EDD170 ZwOpenProcess
SSDT F8EDD175 ZwOpenThread
SSDT F8EDD17F ZwTerminateProcess
SSDT F8EDD18E ZwCreateKey
SSDT F8EDD193 ZwDeleteKey
SSDT F8EDD198 ZwSetValueKey
SSDT F8EDD19D ZwDeleteValueKey
SSDT F8EDD1A2 ZwLoadKey
SSDT F8EDD1A7 ZwRestoreKey
SSDT F8EDD1AC ZwReplaceKey

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 445 804E2AA1 3 Bytes [4A, AA, F8] {DEC EDX; STOSB ; CLC }

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 10 April 2009 - 09:14 AM

Hello.

The ComboFix log is clean. No need to re-run.

Please try to recreate the redirects.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Take a new DDS.txt log after please.

With Regards,
The Panda

#7 jennbryn

jennbryn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 10 April 2009 - 08:29 PM

My Kaspersky scan was clean. I am not getting any google redirects anymore, even when I disable Rapport--everything seems normal. I do see some things in the Qoobox quarantine folder, were those removed from my computer by Combofix?

Thanks! :thumbup2:


KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, April 10, 2009 22:09:09
Records in database: 2032410
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 80919
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:03:42

No malware has been detected. The scan area is clean.

The selected area was scanned.





DDS (Ver_09-03-16.01) - NTFSx86
Run by Lisa Ord at 19:18:25.99 on Fri 04/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.103 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Gizmo5\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozy\mozybackup.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRAM FILES\ANALOG CLOCK\ANALOGCLOCK.EXE
C:\Program Files\Semagic\LiveJournalU.exe
C:\Documents and Settings\Lisa Ord\Local Settings\Apps\F.lux\flux.exe
C:\PROGRAM FILES\DROPBOX\DROPBOX.EXE
C:\PROGRAM FILES\MOZY\MOZYSTAT.EXE
C:\Program Files\Gizmo5\Gizmo5.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Lisa Ord\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Lisa Ord\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Lisa Ord\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = proxy.utah.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnalogClock] c:\program files\analog clock\ANALOGCLOCK.EXE
uRun: [Semagic] c:\program files\semagic\LiveJournalU.exe
uRun: [F.lux] "c:\documents and settings\lisa ord\local settings\apps\f.lux\flux.exe" /noshow
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [WinPatrol] c:\program files\winpatrol\winpatrol.exe -expressboot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
uPolicies-explorer: NoLogoff = 01000000
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
Trusted Zone: kexp.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lisaor~1\applic~1\mozilla\firefox\profiles\w7t5ajeh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.wrh.noaa.gov/images/slc/camera/latest/olympuscove.latest.jpg
FF - component: c:\documents and settings\lisa ord\application data\mozilla\firefox\profiles\w7t5ajeh.default\extensions\{3502a070-ea2f-11dd-ba2f-0800200c9a66}\components\mintray-9178506d-2005072516-trunk.dll
FF - plugin: c:\documents and settings\lisa ord\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-30 11608]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2008-2-1 53752]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-2-4 58856]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-2-4 69608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-30 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-30 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-30 55640]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [2004-2-19 15104]
S3 CA504AV;Mega Camera, WDM Video Capture;c:\windows\system32\drivers\ca504av.sys [2008-5-4 517941]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2004-1-16 14095]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2007-11-27 26304]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090327.005\NAVENG.sys [2009-3-27 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090327.005\NAVEX15.sys [2009-3-27 876144]
S3 PCIUtil;PCI Utility;\??\c:\docume~1\lisaor~1\locals~1\temp\pciutil.sys --> c:\docume~1\lisaor~1\locals~1\temp\PCIUtil.sys [?]
S3 Sunplus;Mega Camera Still Image Capture, Sunplus Version 1.00;c:\windows\system32\drivers\Bulk504.sys [2008-5-4 10952]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-04-10 09:55 <DIR> --d----- c:\program files\TaxCut05
2009-04-10 09:41 <DIR> --d----- c:\docume~1\lisaor~1\applic~1\organizit
2009-04-10 09:38 <DIR> --dsh--- c:\windows\ftpcache
2009-04-09 19:07 <DIR> a-dshr-- C:\cmdcons
2009-04-09 19:04 161,792 a------- c:\windows\SWREG.exe
2009-04-09 19:04 98,816 a------- c:\windows\sed.exe
2009-03-30 07:29 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-03-30 07:29 <DIR> --d----- c:\program files\Avira
2009-03-30 07:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-27 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-03-27 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro 3
2009-03-26 14:35 410,130 a------- c:\windows\pfirewall.log.old
2009-03-25 11:37 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-25 11:37 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-25 11:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-25 11:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 09:54 <DIR> --d----- c:\docume~1\lisaor~1\applic~1\Malwarebytes
2009-03-24 19:11 <DIR> --d----- c:\docume~1\lisaor~1\applic~1\IObit

==================== Find3M ====================

2009-04-05 09:11 249,856 a------- c:\windows\system32\pdfmona.dll
2009-04-05 09:11 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-16 22:09 12,089 ac------ c:\windows\mozver.dat
2008-03-30 18:16 424,960 a------- c:\program files\AutoRebootSetter_Free.exe
2008-03-30 18:13 435,200 a------- c:\program files\BalloonRemover.exe
2007-07-07 08:07 812,544 a------- c:\program files\DoubleKiller.exe
2006-07-07 07:43 812,631 ac------ c:\program files\Semagic.exe
2005-02-23 11:38 173,513,447 ac------ c:\program files\Acrobat_Standard_70.zip
2004-11-05 17:31 7,594,798 ac------ c:\program files\vpnclient-win-4.exe
2004-06-20 16:40 1,550 a------- c:\program files\DesignPro.lnk
1999-05-07 05:22 8,944 a------- c:\windows\inf\USBSCAN.SYS
1998-05-15 00:00 73,184 a------- c:\program files\common files\dao2535.tlb
1998-04-27 00:00 570,128 a------- c:\program files\common files\Dao350.dll
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat
2008-09-24 16:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 19:19:45.81 ===============

Attached Files



#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 11 April 2009 - 08:32 AM

Hello.

Yes, the QooBox folder holds the deleted items and some of ComboFix's components.

Looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#9 jennbryn

jennbryn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 11 April 2009 - 02:48 PM

:thumbup2: Thank you so much for your help PropagandaPanda! I do have one more question--


Since doing the Combofix run my mouse pointer is freezing when I bring the computer out of standby. I have to re-suspend it and then un-suspend again, to get it to unfreeze. This is an old problem on this laptop, that I thought I had repaired by downloading a new driver for the pointer. (The problem went away, but now since running Combofix it is back.)


I noticed this in the Combofix log from my earlier post:

- - - - ORPHANS REMOVED - - - -

HKLM-Run-POINTER - point32.exe


Can I re-install this or fix it in some other way so my pointer doesn't freeze?

Thanks

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 11 April 2009 - 03:05 PM

Hello jennbryn.

ComboFix removed that entry because the file associated with it was not found.

We can restore the entry and see if that helps.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "POINTER"="point32.exe"
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

Reboot. Is the problem present after?

With Regards,
The Panda

#11 jennbryn

jennbryn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 13 April 2009 - 08:19 AM

Thanks for the instructions. Yes, that seems to have fixed the problem. All seems well with my computer now--I really appreciate your help!

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 13 April 2009 - 08:54 AM

Glad we could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users