Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looks like UACD.SYS Trojan... keeps returning.


  • This topic is locked This topic is locked
1 reply to this topic

#1 Mannyd01

Mannyd01

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 04 August 2009 - 02:48 PM

I followed one of the other successful posts and now need my COMBOfix log reviewed.
Thanks in advance.


***********************************************************************

ComboFix 09-08-04.01 - Lori 08/04/2009 11:24.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3538.2325 [GMT -7:00]
Running from: c:\users\Lori\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1243579339-2929845556-3091047368-500
c:\$recycle.bin\S-1-5-21-2347180839-3205931739-3509662-500
c:\users\Lori\Desktop\BleepingComputer.com _ Windowsclick . com redirect UACd.sys troj.lnk
c:\users\Lori\FAVORI~1\Astrology .url
c:\users\Lori\Favorites\Astrology .url

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-08-04 18:28 . 2009-08-04 18:52 -------- d-----w- c:\users\Lori\AppData\Local\temp
2009-08-04 18:28 . 2009-08-04 18:28 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2009-08-04 07:53 . 2009-08-04 07:53 -------- d-----w- c:\windows\Sun
2009-08-04 07:40 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 07:40 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 07:38 . 2009-08-04 17:53 -------- d-----w- C:\TECH
2009-08-04 07:05 . 2009-08-04 07:42 -------- d-----w- c:\program files\CCleaner
2009-08-04 06:43 . 2009-08-04 06:43 -------- d-----w- c:\users\Andrew\AppData\Roaming\Webroot
2009-08-04 02:44 . 2009-08-04 02:44 -------- d-----w- c:\users\Lori\AppData\Roaming\Malwarebytes
2009-08-04 00:51 . 2009-08-04 00:51 -------- d-----w- c:\program files\Alwil Software
2009-08-04 00:33 . 2009-08-04 00:33 -------- d-----w- c:\users\Administrator
2009-08-03 20:03 . 2009-08-04 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 20:03 . 2009-08-03 20:03 -------- d-----w- c:\programdata\Malwarebytes
2009-08-03 19:57 . 2009-08-03 19:58 -------- d-----w- c:\program files\CrossLoop
2009-08-03 03:41 . 2009-08-03 03:45 -------- d-----w- c:\users\TEMP
2009-07-30 18:59 . 2009-07-30 18:59 -------- d-----w- c:\programdata\Citrix
2009-07-30 18:59 . 2009-07-30 18:59 -------- d-----w- c:\users\Lori\AppData\Local\Citrix
2009-07-30 18:58 . 2009-07-30 18:58 61224 ----a-w- c:\users\Lori\GoToAssistDownloadHelper.exe
2009-07-30 18:19 . 2009-07-30 18:19 127872 ----a-w- c:\users\Lori\AppData\Roaming\Move Networks\uninstall.exe
2009-07-30 18:19 . 2009-07-30 19:26 -------- d-----w- c:\users\Lori\AppData\Roaming\Move Networks
2009-07-30 18:01 . 2009-07-30 18:01 -------- d-----w- c:\programdata\McAfee
2009-07-30 17:27 . 2009-02-13 02:21 81920 ----a-w- c:\windows\system32\AESTCom.dll
2009-07-30 17:27 . 2009-07-30 17:27 -------- d-----w- c:\windows\system32\SRSLabs
2009-07-30 17:27 . 2009-04-10 01:26 398848 ----a-w- c:\windows\system32\drivers\stwrt.sys
2009-07-30 17:27 . 2009-04-10 01:26 404992 ----a-w- c:\windows\system32\stcplx.dll
2009-07-30 17:27 . 2009-04-10 01:26 171520 ----a-w- c:\windows\system32\st326187.dll
2009-07-30 17:27 . 2009-07-30 17:28 -------- d-----w- c:\program files\IDT
2009-07-26 00:35 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-07-26 00:35 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-07-26 00:35 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-07-26 00:35 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-07-26 00:35 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-07-26 00:35 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-07-26 00:34 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-07-26 00:27 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-07-25 17:27 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-07-25 17:27 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-25 17:27 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-07-25 17:27 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-07-25 15:47 . 2009-07-25 15:47 -------- d-----w- c:\program files\iPod
2009-07-25 15:47 . 2009-07-25 15:47 -------- d-----w- c:\program files\iTunes
2009-07-25 15:42 . 2009-07-25 15:42 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-19 15:13 . 2009-07-19 15:13 2904064 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\18154-181625.dll
2009-07-15 08:23 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 08:23 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 08:23 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 08:23 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 18:29 . 2008-12-27 10:53 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-04 18:20 . 2009-01-11 03:38 900 --sha-w- c:\programdata\KGyGaAvL.sys
2009-08-04 18:20 . 2009-01-11 03:38 900 --sha-w- c:\programdata\KGyGaAvL.sys
2009-08-04 18:20 . 2009-01-10 21:40 0 ----a-w- c:\users\Lori\AppData\Local\WavXMapDrive.bat
2009-08-04 18:17 . 2008-12-27 10:57 -------- d-----w- c:\program files\Google
2009-08-04 08:14 . 2009-05-05 21:20 1356 ----a-w- c:\users\Lori\AppData\Local\d3d9caps.dat
2009-08-04 07:04 . 2009-02-17 15:35 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM
2009-08-04 06:43 . 2009-01-11 04:10 -------- d-----w- c:\programdata\Webroot
2009-08-04 06:43 . 2009-01-10 04:27 0 ----a-w- c:\users\Andrew\AppData\Local\WavXMapDrive.bat
2009-08-03 13:38 . 2009-02-17 15:47 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype
2009-07-30 18:59 . 2009-06-22 23:14 -------- d-----w- c:\program files\Citrix
2009-07-30 18:19 . 2009-06-16 06:35 4183416 ----a-w- c:\users\Lori\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-07-30 18:03 . 2008-12-27 10:29 -------- d-----w- c:\program files\Java
2009-07-30 17:26 . 2008-12-27 10:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 19:42 . 2009-01-10 04:26 102408 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-27 14:53 . 2009-01-10 21:40 102408 ----a-w- c:\users\Lori\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-26 00:48 . 2009-01-10 17:42 -------- d-----w- c:\programdata\Microsoft Help
2009-07-26 00:45 . 2009-01-10 17:44 -------- d-----w- c:\program files\Microsoft Works
2009-07-25 15:49 . 2009-06-18 22:39 -------- d-----w- c:\program files\Safari
2009-07-25 15:47 . 2009-01-10 21:16 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 21:52 . 2009-07-29 14:09 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 14:09 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 14:09 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 14:09 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-19 16:09 . 2009-01-13 21:31 -------- d-----w- c:\program files\Quicken
2009-07-19 15:12 . 2009-01-13 21:33 242976 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-07-16 14:59 . 2009-04-15 19:12 1844883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2009-07-15 10:35 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-22 23:13 . 2009-06-22 23:13 70984 ----a-w- c:\users\Andrew\g2mdlhlpx.exe
2009-06-18 22:33 . 2009-01-10 21:17 -------- d-----w- c:\program files\QuickTime
2009-06-18 22:28 . 2009-01-10 21:16 -------- d-----w- c:\programdata\Apple
2009-06-18 14:17 . 2009-06-18 14:17 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8621.tmp.exe
2009-06-17 19:37 . 2009-06-17 19:37 819 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbA88F.tmp.exe
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\users\Lori\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-05 18:42 . 2009-06-05 18:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 18:42 . 2009-06-05 18:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-23 21:36 . 2009-03-12 18:30 164 ----a-w- c:\windows\install.dat
2009-05-21 18:33 . 2009-01-10 21:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-15 21:44 . 2009-05-15 21:44 1536000 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2009-05-13 22:39 . 2009-01-11 04:10 1563008 ----a-w- c:\windows\WRSetup.dll
2009-07-29 00:27 . 2009-01-12 16:24 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-12-27 12:00 . 2008-12-27 11:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"
[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]
2008-07-27 18:03 282112 ----a-w- c:\windows\System32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2008-07-27 18:03 282112 ----a-w- c:\windows\System32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-13 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-13 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-13 145944]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-05-30 180224]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-05-14 99328]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-06-24 79160]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-05-30 593920]
"DCPstrApp"="c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-09-09 1486848]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-29 3563520]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2009-01-09 1351680]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-20 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-10 483428]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-8-1 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B077BD11-60D4-4390-83A5-338DCCA2CECE}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{E47AEEA1-3ED6-4234-8803-A557D79CF664}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{6384C997-E680-4BEC-919D-331B01DDBEF2}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{946A9351-6831-4BC6-8FA4-5DCD43B91A2A}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D696B468-42AF-4C2E-A0F8-19F8573B476C}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{683722C1-7548-4A6D-BA00-5A9D5797EA66}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D31A3189-AB1E-43E3-878D-BC204E069F56}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{724FF44B-8186-4856-A997-C30F96C5E16C}c:\\program files\\act\\act for windows\\actsage.exe"= UDP:c:\program files\act\act for windows\actsage.exe:ACT! 10.x/2008 Workgroup
"UDP Query User{C47269FA-D11E-49F8-954B-1563C26D1B09}c:\\program files\\act\\act for windows\\actsage.exe"= TCP:c:\program files\act\act for windows\actsage.exe:ACT! 10.x/2008 Workgroup
"TCP Query User{6300141B-98B2-4AB8-966A-7B91102CAAA8}c:\\program files\\act\\act for windows\\actsage.exe"= UDP:c:\program files\act\act for windows\actsage.exe:ACT! 10.x/2008 Workgroup
"UDP Query User{F19D9AB3-4EA1-4283-8698-D8F46E42DF0D}c:\\program files\\act\\act for windows\\actsage.exe"= TCP:c:\program files\act\act for windows\actsage.exe:ACT! 10.x/2008 Workgroup
"TCP Query User{C4440398-7CC3-4785-8F2E-1177781B86A1}c:\\users\\lori\\appdata\\local\\temp\\lmi18e6.tmp\\lmi_rescue.exe"= UDP:c:\users\lori\appdata\local\temp\lmi18e6.tmp\lmi_rescue.exe:lmi_rescue.exe
"UDP Query User{DB21400F-1988-4F37-BF31-762B459ECB1A}c:\\users\\lori\\appdata\\local\\temp\\lmi18e6.tmp\\lmi_rescue.exe"= TCP:c:\users\lori\appdata\local\temp\lmi18e6.tmp\lmi_rescue.exe:lmi_rescue.exe
"{75E5D93B-B01A-495A-A934-54CAB37EFD50}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8CF629D7-223C-4843-9A9C-FBE6E6335CAD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{4DE690E7-7297-4E23-94B4-A3ACA02D5521}c:\\users\\andrew\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= UDP:c:\users\andrew\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe:octoshape.exe
"UDP Query User{2F0B7250-CE00-4940-9294-5ECED5458335}c:\\users\\andrew\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= TCP:c:\users\andrew\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe:octoshape.exe
"TCP Query User{C31B580A-6EC3-40CC-804B-CA4964318683}c:\\users\\andrew\\appdata\\roaming\\mjusbsp\\magicjack.exe"= UDP:c:\users\andrew\appdata\roaming\mjusbsp\magicjack.exe:magicjack.exe
"UDP Query User{EA3847FA-7B78-4547-AEBB-6CA3F0ABDB1A}c:\\users\\andrew\\appdata\\roaming\\mjusbsp\\magicjack.exe"= TCP:c:\users\andrew\appdata\roaming\mjusbsp\magicjack.exe:magicjack.exe
"{8AAA5F37-170B-4F5F-A64F-26F1ADA518DB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{D310E53A-A4F4-4D7A-938F-FFBE0B61348A}e:\\common\\easyinstall\\easyinstall.exe"= UDP:e:\common\easyinstall\easyinstall.exe:EasyInstall
"UDP Query User{D87254B8-D986-4CB4-A476-13D3F34DF180}e:\\common\\easyinstall\\easyinstall.exe"= TCP:e:\common\easyinstall\easyinstall.exe:EasyInstall
"TCP Query User{8DFDB5E9-7BA3-4278-8925-EF190ED4ED7B}c:\\users\\lori\\appdata\\local\\temp\\lmi7e29.tmp\\lmi_rescue.exe"= UDP:c:\users\lori\appdata\local\temp\lmi7e29.tmp\lmi_rescue.exe:lmi_rescue.exe
"UDP Query User{48A2DD80-8CA4-4062-93FC-7BE37425F0D6}c:\\users\\lori\\appdata\\local\\temp\\lmi7e29.tmp\\lmi_rescue.exe"= TCP:c:\users\lori\appdata\local\temp\lmi7e29.tmp\lmi_rescue.exe:lmi_rescue.exe
"{0290F3E7-9FE1-4030-ACF8-F00A57BE8DB6}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2BDE6C3C-FA4A-44DE-9F54-8C094A0AB227}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{715BC6B8-B15A-4DE2-BA56-22F774FC619C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{90513FFA-1C62-4075-BE5E-49EA807E8E2B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_820ff26a\AEstSrv.exe [7/30/2009 10:27 AM 81920]
R2 alssvc;Ambient Light Sensor;c:\program files\Dell\Ambient Light Sensor\AlsSvc.exe [6/3/2008 2:16 PM 382232]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [6/11/2008 10:39 AM 1664248]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [7/1/2008 5:57 PM 110592]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [6/3/2008 2:28 PM 386328]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [8/1/2008 8:44 PM 455960]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [9/9/2008 1:21 PM 69632]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [12/27/2008 5:13 AM 212992]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [12/27/2008 5:13 AM 112128]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [1/10/2009 8:37 PM 65536]
S2 gupdate1ca058297d2ea70;Google Update Service (gupdate1ca058297d2ea70);c:\program files\Google\Update\GoogleUpdate.exe [7/15/2009 12:29 PM 133104]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [12/27/2008 3:52 AM 29736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 19:29]

2009-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 19:29]

2009-08-04 c:\windows\Tasks\User_Feed_Synchronization-{02107DE1-CE79-4619-A6E0-BF30A92453B6}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]

2009-08-04 c:\windows\Tasks\User_Feed_Synchronization-{54D5E6EE-AC9F-4F8B-88F8-BEC11B1FF29C}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]

2009-07-17 c:\windows\Tasks\wrSpySweeper_L23F405142511456BB8FC471C57616D5D.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-01-11 22:40]

2009-07-17 c:\windows\Tasks\wrSpySweeper_L23F405142511456BB8FC471C57616D5D.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-01-11 22:40]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD} - (no file)
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
SafeBoot-WRConsumerService


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\p8iyztgh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Lori\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 11:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000000470EC4CCBB6A281E05 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(668)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'Explorer.exe'(3756)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_820ff26a\stacsv.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\wlanext.exe
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\Common Files\Protexis\License Service\PSIService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
.
**************************************************************************
.
Completion time: 2009-08-04 11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 18:55

Pre-Run: 98,118,598,656 bytes free
Post-Run: 97,790,156,800 bytes free

296 --- E O F --- 2009-08-04 08:23

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:05:08 AM

Posted 04 August 2009 - 03:17 PM

Please note the message text in blue at the top of this forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in this forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM any Moderator.
The BC Staff

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users