Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seriously infected - this one will top all!


  • This topic is locked This topic is locked
21 replies to this topic

#1 ICKIER

ICKIER

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 14 September 2009 - 08:26 PM

My system is seriously infected.

I've done everything in the pre-post guide, removed temp files and backed up.
My system will not run DDS.SCR. The command prompt opens and it says it's doing it's thing, then shuts down.
I've tried Malwarebytes; it too shuts down. I've tried Spybot; it too shuts down.
Both programs in regular mode and safe mode.
I've pittled around with my knowledge off of other guides and nothing...

So, where do we begin?

BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:57 AM

Posted 14 September 2009 - 08:31 PM

Having followed some "other guides" really tells us nothing. Please tell us exactly what guide(s) you followed. What infection(s) does the machine have, do you know? And, if so, how do you know?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 15 September 2009 - 06:13 PM

I've tried guides related to ie-redirects, namely google. I've tried guides where other people say they have similar things happening to them as me.
Pretty much most of them talk about what I've tried...Rooter, RootRepeal, DDS, Combo-Fix, Hijackthis, Malwarebytes, Spybot, OTL (maybe a few others) to no avail.
The closest I've come is seeing rootkit UACD.SYS. Every scanning program shuts down, other lock up and cause 99% CPU Usage.
Once they run once and shut down I loose permissions to run the file until I drop it on Inherit.
I've tried a Linux boot CD with Bitdefender...finds NOTHING except saying Inherit is a trojan.

I'm at a lose. I thought coming here I'd be instructed to try something that I haven't read yet or tried myself.
If I'm allowed to ask a question here, in this forum catagory, can I pop this drive in a clean system and scan; will it pick up malware (or does it have to be in the infected machine running to be picked up?)

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:57 AM

Posted 15 September 2009 - 09:25 PM

The closest I've come is seeing rootkit UACD.SYS

I'm not sure at all what you are trying to say there. The closest you've come to what? Did one of the scanners tell you that it found that particular rootkit?

You said here:

I've tried...Rooter, RootRepeal, DDS, Combo-Fix, Hijackthis, Malwarebytes, Spybot, OTL (maybe a few others) to no avail.

...and I should point out, not all of those utilities are designed for cleaning. DDS for example actually stands for "Doesn't do squat. Most of those you list are fine to run on your own but those few that require some technical experience or training could be more dangerous for one to use without some guidance.

Tell me what happened when you ran combofix...and by the way, the way you worded your statement "Combo-Fix" leads me to think that you renamed it before you ran it. Did you? If so, did you rename it before it landed on that desktop?

To answer your question, Yes...you can do what you asked about but I don't recommend it. There is a slim chance that things could get worse. I would rather see you reformat and reinstall. It doesn't take that much time, and the worry is wiped away with the reformat.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 15 September 2009 - 09:46 PM

Yes, one of the scanners reported the following:

Rootkit! ... [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UACD.SYS]
Rootkit! ... [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_UACD.SYS]
Rootkit! ... [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UACD.SYS]

Rooter full log file attached. (This one did run; I was mistaken)

I know most are not designed for cleaning; I'd assumed most were designed for giving some kind of clue what's going on. The fact that nearly all of them didn't work makes me wonder.

As far as Combo-Fix, I honestly can't remember if it was renamed before or after. I want to say before it hit the desktop as I recall reading instructions to name it that during the download/save process. What it does exactly when run is display the progress bar all the way to the end, the hard drive chatters away for a bit then program appears to shut down. It does create all the files in a directory on C:\ and several instances of find.exe appear in processes running.

I'd settle for a reformat if it wasn't for the data file loss.
I know...back up, back up, back up. But you're always "going to get to that..."

Attached Files



#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:57 AM

Posted 16 September 2009 - 06:13 AM

If that's all you have, you don't have much. The rootkit named in that log here:
----------------------\\ Registry

Rootkit! ... [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UACD.SYS]
Rootkit! ... [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_UACD.SYS]
Rootkit! ... [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UACD.SYS]

...appears to have already been removed. Those are legacy key entries. Nothing loads from legacy keys. Those entries are harmless but not needed either.

I'm beginning to wonder if all the tinkering around you've done on your own with running those various tools and following instructions that were designed for other users may have gotten your system tied up in a few knots along the way. The disk might also be so badly fragmented and cluttered that it gives the appearance that nothing is working right or hanging...stalling...but if that were the case, things would eventually work if you waited long enough.

Try to download a fresh copy of combofix. You are correct to rename it during the download. This time though, try to rename it "Service.exe" and remember, it's already named combofix.exe so make sure it doesn't end up looking like this:
"Services.exe.exe"
If your "view all files" are already set, then you should be able to see this...but to be sure, if you can't see the ".exe" at the end of the combofix file, then just rename it "Services". See if you get any better results. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 16 September 2009 - 10:47 AM

I will try a "fresh" copy of ComboFix renamed during download to Service.

In all my tinkering I never ran (or was able to run) any program that was data altering per say...they were all logging programs to look at the system.
The drive is not badly fragmented.
And waiting overnight upwards of 14 hours is long enough I'd think if a program was going to work.
Did you miss my mention of virtual memory low alerts?

I have not done any "fixs" that are designed for specific users. I've read the warnings.
Browseing the forums I think I closely resemble symptoms of Antispy Protector 2009.

Am I in the wrong area to be picked up for step by step, run this program, we'll look at the logs and suggest the next step?

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:57 AM

Posted 16 September 2009 - 02:22 PM

Did you miss my mention of virtual memory low alerts?
I didn't miss it...you just never said it, until now. That is, unless you were trading messages with someone else on some other forum or in some other thread. You haven't mentioned it in this thread until now.
Am I in the wrong area to be picked up for step by step, run this program, we'll look at the logs and suggest the next step?
This would be the place but I hesitate to suggest running anything else that also won't run...as you've said, nothing wants to run on that computer so, unless you can produce a combofix log, we will have met a dead end.


It's difficult, if not impossible, to fix something when you don't know what's wrong. If you cannot produce some kind of analysis log or the combofix log then how can we proceed?

Without some productive analysis tool's log results, you would be the one who knows better than I what the possibilities are behind the jam you're in at present. You've said you already have tried the suggested steps for fixing the issue(s) that you believe are your culprit but that none of the tools will even run.

You've mentioned that your system is seriously infected and mentioned what it is that you believe it's infected with...you mentioned what tools you've run that won't work, but you haven't mentioned yet how you believe this all happened. Can you remember what you were doing just prior to running into this brick wall? That might be useful information

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 17 September 2009 - 06:28 AM

Fresh ComboFix both renamed did the same thing...progress bar then nothing.
I did watch task manager and saw a few programs start and then drop off - programs that are inside the folder in root of C: that ComboFix creates. If I ran it again I'd get an error saying files couldn't be created. If I end processed Nicmd.cfxx (or something like that) the program started, progress bar, then nothing.

In guides I've seen other analysis tools. Win32kdiag log attached if this could be an alternate starting point...

It wasn't what I was doing. I get the aftermath..."Dad, something's wrong with the computer..."
Then, of course, it's "I didn't do anything..."

Attached Files



#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:57 AM

Posted 17 September 2009 - 08:00 AM

When you ran rootrepeal earlier, did it produce a log or would it even run for you? Also, you said earlier that you lose permissions after you ran some protective/security analysis software...tell us exactly what warning message was returned.

Edit added:
I must admit there has been a particular infection that originally came to mind with your 3rd post but some of the things you've said had me believing that I should look elsewhere...not to mention that there is still no evidence to prove or disprove it so it's still gnawing at me.

While you are looking into the answer for me, to my above question/concern, let's try this before you post back:

Open your command prompt and paste the following:
@SC CONFIG EVENTLOG START= DISABLED
...you should receive a "Success" message returned. If so, try running the combofix utility again and post back your results. Thanks!

Edited by 1972vet, 17 September 2009 - 10:54 AM.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 17 September 2009 - 09:39 PM

Rootrepeal runs and says Please wait, initializing or something of that sort then just hangs with frequent hard drive activity until eventually it gives me low virtual memory ballons. I never see anything other than initializing screen and no files (logs) pop up on desktop.

After running some programs, the icon on some would change from program icon to standard default icon and if clicked would say I couldn't access the file because of permissions not being correct. That's just the jist of it...don't recall exact. If it comes about again, I'll copy word for word.

Running your command did provide success message and Combo-Fix RAN!

Results below:
(CTFMON is missing on purpose - just renamed actually)


ComboFix 09-09-17.04 - Kimberly 09/17/2009 21:49.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.690 [GMT -4:00]
Running from: c:\documents and settings\Kimberly\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John\Application Data\Microsoft\Installer\{388887F6-0661-4C80-B272-A6A23EFC7A31}\ARPPRODUCTICON.exe
c:\documents and settings\John\Application Data\Microsoft\Installer\{48E16DC7-79EC-45F1-847A-F8D3C620515E}\MapleStory.exe_801DA03C4E824858A615529E6AFB9A78.exe
c:\documents and settings\John\Application Data\Microsoft\Installer\{48E16DC7-79EC-45F1-847A-F8D3C620515E}\MapleStory.exe1_801DA03C4E824858A615529E6AFB9A78.exe
c:\recycler\NPROTECT
c:\windows\ALCMTR.EXE
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\527e9f.msi
c:\windows\system32\Drivers\rzsvf.sys
c:\windows\system32\wscsvc32.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_UACD.SYS
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_gaccagih
-------\Service_gaccagih


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-17 01:06 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\82112273.sys
2009-09-14 23:38 . 2009-09-14 23:38 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-14 22:17 . 2009-09-18 02:00 2043936 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-14 01:42 . 2009-09-14 01:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-14 01:31 . 2009-09-14 01:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-14 01:26 . 2009-09-14 01:26 -------- d-----w- c:\documents and settings\Kimberly\Application Data\Malwarebytes
2009-09-14 01:19 . 2009-09-14 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 01:19 . 2009-09-17 00:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 19:40 . 2009-09-13 19:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-10 15:52 . 2009-09-10 15:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-04 13:28 . 2009-09-04 13:28 -------- d-----w- c:\program files\Activision
2009-08-20 17:32 . 2009-08-20 17:32 0 ----a-w- c:\windows\popcreg.dat
2009-08-20 15:31 . 2009-08-22 18:13 25 ----a-w- c:\windows\popcinfot.dat
2009-08-20 15:31 . 2009-08-20 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 01:57 . 2009-09-14 22:17 23396 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-17 00:20 . 2005-08-21 00:22 -------- d-----w- c:\program files\HP
2009-09-17 00:20 . 2005-08-21 00:04 -------- d-----w- c:\program files\Java
2009-09-17 00:17 . 2005-12-26 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-17 00:17 . 2009-06-09 21:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 00:17 . 2009-06-09 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-16 00:03 . 2008-05-15 19:44 -------- d-----w- c:\program files\My Sam's Club Digital Photo Center
2009-09-10 21:29 . 2005-08-21 00:47 -------- d-----w- c:\program files\Microsoft Plus! Dancer LE
2009-09-09 23:25 . 2008-11-20 22:24 52224 ----a-w- c:\windows\ipuninst.exe
2009-09-04 13:42 . 2005-08-21 00:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 21:44 . 2006-09-04 21:37 -------- d-----w- c:\documents and settings\Kimberly\Application Data\U3
2009-08-25 19:20 . 2006-01-13 21:51 -------- d-----w- c:\program files\InterActual
2009-08-24 20:15 . 2008-08-27 18:31 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-08-20 15:31 . 2009-05-10 01:24 -------- d-----w- c:\program files\PopCap Games
2009-08-11 17:44 . 2006-01-01 19:33 -------- d-----w- c:\documents and settings\Kimberly\Application Data\Apple Computer
2009-08-06 13:59 . 2006-10-09 19:12 913 ----a-w- c:\windows\eReg.dat
2009-08-05 09:01 . 2004-08-10 19:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 19:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-11 02:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 19:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 19:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 19:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 19:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 19:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 19:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 19:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-11 02:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2004-08-10 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\system32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^updates from hp.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"RDSessMgr"=3 (0x3)
"PlugPlay"=2 (0x2)
"LightScribeService"=2 (0x2)
"helpsvc"=2 (0x2)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135628039\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135628039\\EE\\aolsoftware.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds\\Game\\Battlegrounds.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56917:TCP"= 56917:TCP:Pando Media Booster
"56917:UDP"= 56917:UDP:Pando Media Booster
"58300:TCP"= 58300:TCP:Pando Media Booster
"58300:UDP"= 58300:UDP:Pando Media Booster

R1 is-L5J01drv;is-L5J01drv;c:\windows\system32\drivers\82112273.sys [9/16/2009 9:06 PM 148496]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [12/26/2005 8:51 PM 3744]
R2 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [5/5/2009 11:19 AM 451904]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [12/26/2005 8:51 PM 3904]
S1 d5b16eeb;d5b16eeb;c:\windows\system32\drivers\d5b16eeb.sys --> c:\windows\system32\drivers\d5b16eeb.sys [?]
S1 is-drgavdrv;is-DRGAVdrv;c:\windows\system32\DRIVERS\14094733.sys --> c:\windows\system32\DRIVERS\14094733.sys [?]
S1 is-vafnadrv;is-VAFNAdrv;c:\windows\system32\DRIVERS\60326017.sys --> c:\windows\system32\DRIVERS\60326017.sys [?]
S2 gupdate1c9c8da21fb4b74;Google Update Service (gupdate1c9c8da21fb4b74);c:\program files\Google\Update\GoogleUpdate.exe [4/29/2009 10:52 AM 133104]
S2 ijta;ijta;c:\windows\system32\drivers\pobkpq.sys --> c:\windows\system32\drivers\pobkpq.sys [?]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 11:28 AM 204800]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bDMusicb.sys [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Robin Hood: The Legend Of Sherwood - c:\progra~1\STRATE~1\ROBINH~1\UNWISE.EXE
AddRemove-Starcraft - c:\windows\SCunin.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\iac25_32.ax

- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-09-18 22:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 02:03

Pre-Run: 100,180,021,248 bytes free
Post-Run: 100,033,380,352 bytes free

240 --- E O F --- 2009-09-10 07:04

#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:57 AM

Posted 18 September 2009 - 06:26 AM

Running your command did provide success message and Combo-Fix RAN!
...Results below:
(CTFMON is missing on purpose - just renamed actually)


The ctfmon.exe file is useful if you are using a Microsoft Office XP program. It monitors active windows and provides text input service support for speech recognition, handwriting recognition, keyboard translations and other alternate user input forums.

It has caused some irritation for users who don't use that feature, as it runs in the background, even after you quit all Office programs...some folks like to feel that they have more control over their system than to have microsoft override their wishes to disable some feature as that, just to have it reappear the next time.

You can rename the file back as it was if you wish and we can uninstall it to prevent it from ever coming back. It's up to you, just let me know if you would like to know how to do that.

Next up, there is some indication that an on board Adobe product is out dated. Some older Adobe products have been exploited. In fact, in your case, it would be wise to reset your router and employ the use of a Strong Password, as some of these older Adobe exploits are known to have been the culprit behind a dns hijack. The latest Adobe Flash Player is Here, and the latest Reader version is Here. If you have anything older than those, please uninstall what you have and install those latest versions.

Then one other item of note, combofix removed your PopCap loader so we will just follow suit and remove the remaining remnants for now since you have such a serious invasive control issue going on. When we've finished cleaning up, you might reinstall it (or your kids will if you don't closely supervise them online).

As long as you play the Yahoo games (which are fine by the way) you will be bothered on occasion by adware. The PopCap loader object will trigger an alert from a Trend Micro scan.

Trend Micro has labeled this software as "spyware/grayware". Since we've removed it, you will just have to reinstall it the next time you want to play the Yahoo games...but at least you are now aware of the annoyances.

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::


File::
c:\windows\system32\drivers\82112273.sys
c:\windows\popcreg.dat
c:\windows\popcinfot.dat
c:\windows\system32\drivers\d5b16eeb.sys
c:\windows\system32\DRIVERS\14094733.sys
c:\windows\system32\DRIVERS\60326017.sys
c:\windows\system32\drivers\pobkpq.sys
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bDMusicb.sys


Folder::
c:\documents and settings\All Users\Application Data\PopCap Games
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\PopCap Games


Driver::
d5b16eeb
is-drgavdrv
is-vafnadrv
ijta
bDMusicb


Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 18 September 2009 - 02:29 PM

I will be back no earlier than Sunday PM.
Have a good weekend!

ComboFix 09-09-17.04 - Kimberly 09/18/2009 15:14.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.660 [GMT -4:00]
Running from: c:\documents and settings\Kimberly\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kimberly\Desktop\CFScript.txt

FILE ::
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bDMusicb.sys"
"c:\windows\popcinfot.dat"
"c:\windows\popcreg.dat"
"c:\windows\system32\DRIVERS\14094733.sys"
"c:\windows\system32\DRIVERS\60326017.sys"
"c:\windows\system32\drivers\82112273.sys"
"c:\windows\system32\drivers\d5b16eeb.sys"
"c:\windows\system32\drivers\pobkpq.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\PopCap Games
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
c:\program files\PopCap Games
c:\program files\PopCap Games\Insaniquarium Deluxe\userdata\adv1.dat
c:\program files\PopCap Games\Insaniquarium Deluxe\userdata\highscores.dat
c:\program files\PopCap Games\Insaniquarium Deluxe\userdata\sim1.dat
c:\program files\PopCap Games\Insaniquarium Deluxe\userdata\user1.dat
c:\program files\PopCap Games\Insaniquarium Deluxe\userdata\users.dat
c:\program files\PopCap Games\moregames.ico
c:\program files\PopCap Games\Plants vs. Zombies\userdata\user1.dat
c:\program files\PopCap Games\Plants vs. Zombies\userdata\users.dat
c:\program files\PopCap Games\popcinfot.dat
c:\program files\PopCap Games\popcreg.dat
c:\windows\popcinfot.dat
c:\windows\popcreg.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BDMUSICB
-------\Service_bDMusicb


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 02:10 . 2009-09-18 02:10 -------- d-----w- C:\rsit
2009-09-18 02:10 . 2009-09-18 02:10 -------- d-----w- c:\program files\trend micro
2009-09-14 23:38 . 2009-09-14 23:38 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-14 22:17 . 2009-09-18 18:01 4231200 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-14 01:42 . 2009-09-14 01:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-14 01:31 . 2009-09-14 01:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-14 01:26 . 2009-09-14 01:26 -------- d-----w- c:\documents and settings\Kimberly\Application Data\Malwarebytes
2009-09-14 01:19 . 2009-09-14 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 01:19 . 2009-09-17 00:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 19:40 . 2009-09-13 19:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-10 15:52 . 2009-09-10 15:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-04 13:28 . 2009-09-04 13:28 -------- d-----w- c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 18:01 . 2009-09-14 22:17 50660 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-17 00:20 . 2005-08-21 00:22 -------- d-----w- c:\program files\HP
2009-09-17 00:20 . 2005-08-21 00:04 -------- d-----w- c:\program files\Java
2009-09-17 00:17 . 2009-06-09 21:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 00:17 . 2009-06-09 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-16 00:03 . 2008-05-15 19:44 -------- d-----w- c:\program files\My Sam's Club Digital Photo Center
2009-09-10 21:29 . 2005-08-21 00:47 -------- d-----w- c:\program files\Microsoft Plus! Dancer LE
2009-09-09 23:25 . 2008-11-20 22:24 52224 ----a-w- c:\windows\ipuninst.exe
2009-09-04 13:42 . 2005-08-21 00:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 21:44 . 2006-09-04 21:37 -------- d-----w- c:\documents and settings\Kimberly\Application Data\U3
2009-08-25 19:20 . 2006-01-13 21:51 -------- d-----w- c:\program files\InterActual
2009-08-24 20:15 . 2008-08-27 18:31 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-08-11 17:44 . 2006-01-01 19:33 -------- d-----w- c:\documents and settings\Kimberly\Application Data\Apple Computer
2009-08-06 13:59 . 2006-10-09 19:12 913 ----a-w- c:\windows\eReg.dat
2009-08-05 09:01 . 2004-08-10 19:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 19:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-11 02:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 19:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 19:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 19:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 19:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 19:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 19:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 19:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-11 02:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2004-08-10 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\system32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-18_02.00.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-18 19:21 . 2009-09-18 19:21 16384 c:\windows\temp\Perflib_Perfdata_5cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msmsgs"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]
"persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"hphupd08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"hpbootop"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"hp software update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"HostManager"="c:\program files\Common Files\AOL\1135628039\ee\AOLSoftware.exe" [2008-06-24 41824]
"ehtray"="c:\windows\ehome\ehtray.exe" [2004-08-11 59392]
"applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"smserial"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-01-24 544768]
"high definition audio property page shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^updates from hp.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kimberly^Start Menu^Programs^Startup^is-DRGAV.lnk]
path=c:\documents and settings\Kimberly\Start Menu\Programs\Startup\is-DRGAV.lnk
backup=c:\windows\pss\is-DRGAV.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kimberly^Start Menu^Programs^Startup^is-L5J01.lnk]
path=c:\documents and settings\Kimberly\Start Menu\Programs\Startup\is-L5J01.lnk
backup=c:\windows\pss\is-L5J01.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kimberly^Start Menu^Programs^Startup^is-VAFNA.lnk]
path=c:\documents and settings\Kimberly\Start Menu\Programs\Startup\is-VAFNA.lnk
backup=c:\windows\pss\is-VAFNA.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"RDSessMgr"=3 (0x3)
"PlugPlay"=2 (0x2)
"LightScribeService"=2 (0x2)
"helpsvc"=2 (0x2)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135628039\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135628039\\EE\\aolsoftware.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds\\Game\\Battlegrounds.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56917:TCP"= 56917:TCP:Pando Media Booster
"56917:UDP"= 56917:UDP:Pando Media Booster
"58300:TCP"= 58300:TCP:Pando Media Booster
"58300:UDP"= 58300:UDP:Pando Media Booster

R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [12/26/2005 8:51 PM 3744]
R2 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [5/5/2009 11:19 AM 451904]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [12/26/2005 8:51 PM 3904]
S2 gupdate1c9c8da21fb4b74;Google Update Service (gupdate1c9c8da21fb4b74);c:\program files\Google\Update\GoogleUpdate.exe [4/29/2009 10:52 AM 133104]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 11:28 AM 204800]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 15:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\iac25_32.ax

- - - - - - - > 'explorer.exe'(3116)
c:\windows\system32\WININET.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-09-18 15:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 19:25
ComboFix2.txt 2009-09-18 19:05
ComboFix3.txt 2009-09-18 02:03

Pre-Run: 100,001,529,856 bytes free
Post-Run: 99,962,155,008 bytes free

245 --- E O F --- 2009-09-10 07:04

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:57 AM

Posted 18 September 2009 - 06:57 PM

Things look ok to me...how's it running?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 20 September 2009 - 08:48 PM

My Computer still takes quite a bit of time to open. I look at the waving flashlight for about 10 seconds for showing drives, etc.
It seems like once it's open, any click thereafter is speedy. But close that window and open My Computer again and it's slow.

I tried to do a search for files...F3 would bring up search companion but clicking on search after entering the search string did nothing.

USB ports have stopped recognizing my plugging in a thumb drive.
(Doesn't Avast do something along those lines?)

If we're confident the bad stuff's off, what's the next step?
I will rename CTFMON back to an EXE file.
Should I scf?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users