Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ROOTKIT.AGENT/GEN-DNSHACK


  • This topic is locked This topic is locked
13 replies to this topic

#1 coprimadonna

coprimadonna

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:05:15 PM

Posted 08 January 2010 - 01:09 AM

After working with Boopme all week, he advised me to move my problem into this forum. My computer has trojans/malware - one being a rootkit (in the title) and the more I do to try to remove them... the angrier they get. It runs slowly and locks up several times throughout the day to where I have to do a hard shut down. I tried running DRWEB, but every time I click Start, it just automatically reboots. SAS catches the trojans and says they are quarantined, to no avail. MBAM finds nothing. I once in a while get a blue screen, one stating PAGE_DEFAULT_IN_NONPAGED_AREA.

Following is the DDS log and attached are the other 2 logs you requested. DSS was performed in SAFE MODE, rootrepeal in normal. Please advise if you need me to run DSS again in normal mode. Thank you so much in advance! Juli
***************************************************************************

DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Trent at 22:56:52.42 on Thu 01/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3122 [GMT -7:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {85880491-468F-4D42-BD2B-11AE5E31DC58}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAS\SUPERAntiSpyware.exe
C:\Documents and Settings\Trent\Desktop\Spyware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6090124
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SUPERAntiSpyware] c:\program files\sas\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DCPstrApp] c:\program files\dell\dell controlpoint\security manager\SecurityDeviceInfoSetRegistryString.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
Trusted Zone: mycmsc.com\pubebdm2
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://cedarcrestone.webex.com/client/T26L10NSP49EP12/training/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secureaccess.cedarcrestone.com/dana-cached/setup/JuniperSetupSP1.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\sas\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\sas\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-23 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [2009-1-23 64480]
S1 SASDIFSV;SASDIFSV;c:\program files\sas\sasdifsv.sys [2009-12-16 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\sas\SASKUTIL.SYS [2009-12-16 74480]
S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-11-11 451872]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-21 133104]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-12-14 50704]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-5-2 225808]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-5-2 36368]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-28 54960]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-1-24 112128]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]
S3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009-1-24 12840]
S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-1-24 32808]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-1-24 244368]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-24 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 SASENUM;SASENUM;c:\program files\sas\SASENUM.SYS [2009-12-16 7408]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-4-27 689416]

=============== Created Last 30 ================

2010-01-03 18:14:05 39685 ----a-w- c:\temp\BUSINESS-A0033073.dll
2010-01-02 19:00:36 39621 ----a-w- c:\temp\BUSINESS-aerujy.VIR
2010-01-02 18:57:09 39637 ----a-w- c:\temp\BUSINESS-aerujy.dll
2010-01-02 18:50:14 0 d-----w- c:\program files\TJTOY
2010-01-02 03:50:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-02 03:49:37 0 d-----w- c:\program files\SAS
2010-01-02 03:49:36 0 d-----w- c:\docume~1\trent\applic~1\SUPERAntiSpyware.com
2010-01-02 03:43:57 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-01 23:51:51 991232 -c----w- c:\windows\system32\dllcache\ieframe.dll.mui
2010-01-01 23:51:51 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-01 23:51:51 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-01 23:51:51 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-01 23:51:51 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-01 23:51:51 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-01 23:51:51 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-01 23:51:51 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-01 23:51:50 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-01-01 18:32:27 0 d-----w- c:\docume~1\trent\applic~1\Malwarebytes
2010-01-01 18:32:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 18:32:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 18:32:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-01 18:32:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 00:52:17 178644 ----a-w- c:\documents and settings\trent\_GEAREXT.vol
2009-12-14 15:35:52 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-12-14 15:35:52 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

==================== Find3M ====================

2009-12-29 21:44:49 177019 ----a-w- c:\windows\system32\nvModes.dat
2009-11-23 17:07:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-23 17:07:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 22:57:08.71 ===============

Attached Files


Edited by coprimadonna, 08 January 2010 - 09:09 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:15 AM

Posted 08 January 2010 - 09:45 AM

Hi coprimadonna,

Welcome to BC HijackThis forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Looks you have got a nasty one here.
  1. Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  2. Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click look.bat on the desktop.
    • A notepad opens, copy and paste the content (mbr.log) to your reply.


#3 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:05:15 PM

Posted 08 January 2010 - 11:59 AM

Hi farbar!
Thank you so much for your help! Installed and ran Defogger, but it did not ask me to reboot. So I did not. Please let me know if you want me to do that and re-run MBR. Here is its log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x894d10c0
NDIS: Dell Wireless 1397 WLAN Mini-Card -> SendCompleteHandler -> 0x891c9220
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x01D1C4581
malicious code @ sector 0x01D1C4584 !
PE file found in sector at 0x01D1C459A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:15 AM

Posted 08 January 2010 - 01:01 PM

It confirmed what RootRepeal has detected.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

Edited by farbar, 08 January 2010 - 01:03 PM.
Spelling


#5 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:05:15 PM

Posted 08 January 2010 - 04:50 PM

farbar,
I can't turn off Trend OfficeScan. I'm nervous to run ComboFix while it's running. TOS is a company tool and I apparently need a password to turn it off -- RAR! CF said it would still run, but it's at my own risk. I exited out of the the warning window, but it started to run. I then just closed that window and rebooted. What are the risks involved if I ran CF while TOS is still running? In the interim, I will research how to get it turned off...
Thank you!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:15 AM

Posted 08 January 2010 - 05:31 PM

The truth is that it is hard to know.

Have you let ComboFix install the recovery console?

#7 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:05:15 PM

Posted 09 January 2010 - 11:28 AM

Hi farbar,
I went for it last night, but my internet was down so I couldn't post. All seem to work well -- here is the CF log:

ComboFix 10-01-04.01 - Trent 01/08/2010 22:45:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3004 [GMT -7:00]
Running from: c:\documents and settings\Trent\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {85880491-468F-4D42-BD2B-11AE5E31DC58}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\EventSystem.log

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.

2010-01-03 18:14 . 2009-12-31 18:44 39685 ----a-w- c:\temp\BUSINESS-A0033073.dll
2010-01-02 19:00 . 2009-12-31 18:44 39621 ----a-w- c:\temp\BUSINESS-aerujy.VIR
2010-01-02 18:57 . 2009-12-31 18:44 39637 ----a-w- c:\temp\BUSINESS-aerujy.dll
2010-01-02 18:50 . 2010-01-02 18:50 -------- d-----w- c:\program files\TJTOY
2010-01-02 03:50 . 2010-01-02 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-02 03:49 . 2010-01-06 23:19 -------- d-----w- c:\program files\SAS
2010-01-02 03:49 . 2010-01-02 03:49 -------- d-----w- c:\documents and settings\Trent\Application Data\SUPERAntiSpyware.com
2010-01-02 03:43 . 2010-01-02 03:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 23:51 . 2009-10-29 07:46 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-01 23:51 . 2009-10-29 07:46 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-01 23:51 . 2009-10-29 07:46 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-01 23:51 . 2009-10-29 07:46 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-01 23:51 . 2009-10-29 07:46 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-01 23:51 . 2009-10-28 14:36 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-01 23:51 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-01 23:51 . 2009-10-29 07:46 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-01-01 18:32 . 2010-01-01 18:32 -------- d-----w- c:\documents and settings\Trent\Application Data\Malwarebytes
2010-01-01 18:32 . 2009-12-30 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 18:32 . 2010-01-01 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 18:32 . 2009-12-30 21:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 18:32 . 2010-01-01 18:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 18:56 . 2010-01-08 21:52 -------- d-----w- c:\documents and settings\HelpAssistant
2009-12-14 15:35 . 2009-07-06 21:11 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-12-14 15:35 . 2009-07-06 21:11 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 05:59 . 2009-01-31 00:59 0 ----a-w- c:\documents and settings\Trent\Local Settings\Application Data\WavXMapDrive.bat
2010-01-09 05:58 . 2009-02-04 18:26 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2010-01-09 05:58 . 2009-02-04 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-12-29 21:44 . 2009-01-24 14:30 177019 ----a-w- c:\windows\system32\nvModes.dat
2009-12-19 01:55 . 2009-01-24 15:02 -------- d-----w- c:\program files\Google
2009-12-14 15:35 . 2009-04-13 03:17 -------- d-----w- c:\program files\Trend Micro
2009-12-10 02:16 . 2009-01-24 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-23 17:08 . 2009-11-23 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-23 17:07 . 2009-11-23 17:08 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-23 17:07 . 2009-11-23 19:04 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-23 16:58 . 2009-11-23 16:58 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-23 16:58 . 2009-11-23 16:58 -------- d-----w- c:\program files\Lavasoft
2009-10-29 14:06 . 2009-01-24 15:09 68848 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 14:05 . 2009-01-24 14:58 68848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:46 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2008-04-25 16:16 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-25 16:16 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-25 16:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-25 16:16 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-16 23:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"
[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]
2008-07-25 17:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2008-07-25 17:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-24 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SAS\SUPERAntiSpyware.exe" [2010-01-06 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-10-28 446563]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-10-28 471040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
"nwiz"="nwiz.exe" [2008-08-28 1630208]
"NVHotkey"="nvHotkey.dll" [2008-08-28 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-28 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-05-30 180224]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-05-14 105472]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-06-24 79160]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]
"DCPstrApp"="c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-25 2220032]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-24 30192]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-29 96816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-09-08 849192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-11-11 950048]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SAS\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SAS\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-13 01:32 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60061:TCP"= 60061:TCP:Trend Micro OfficeScan Listener
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/23/2009 10:08 AM 64288]
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [1/23/2009 12:51 AM 64480]
R1 SASDIFSV;SASDIFSV;c:\program files\SAS\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SAS\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 4:56 AM 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [9/4/2008 4:28 PM 406808]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [11/11/2008 3:35 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [11/11/2008 3:35 PM 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [11/11/2008 2:00 PM 451872]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 4:17 AM 1181328]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/14/2009 8:35 AM 50704]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [5/2/2008 9:22 AM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [5/2/2008 9:21 AM 36368]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/28/2008 11:08 PM 54960]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [1/24/2009 9:23 AM 112128]
R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [1/24/2009 7:49 AM 12840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [1/24/2009 9:24 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [1/24/2009 9:23 AM 244368]
R3 SASENUM;SASENUM;c:\program files\SAS\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/21/2009 3:42 PM 133104]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 4:28 AM 42832]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/24/2009 8:05 AM 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [4/27/2007 1:35 PM 689416]
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 17:08]

2010-01-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 17:08]

2010-01-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 17:08]

2010-01-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 17:08]

2010-01-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 17:08]

2010-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-21 22:42]

2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-21 22:42]

2010-01-09 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-06-16 23:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: mycmsc.com\pubebdm2
.
- - - - ORPHANS REMOVED - - - -

AddRemove-SearchAssist - c:\dell\SearchAssist\UninstSA.bat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 23:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\program files\SAS\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1160)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(4564)
c:\windows\system32\WININET.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmUserInterface.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\drivers\audio\r201108\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\vmnat.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\SearchProtocolHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-01-08 23:08:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-09 06:08

Pre-Run: 147,238,096,896 bytes free
Post-Run: 148,429,983,744 bytes free

- - End Of File - - 2A91EB352E2DAC21A267A28713A9B280

Edited by coprimadonna, 09 January 2010 - 11:29 AM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:15 AM

Posted 09 January 2010 - 11:39 AM

Well done. thumbup2.gif
  1. I see on the log Ask Toolbar is installed on your computer:

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Ask Toolbar

    Also remove the folder in bold (if present) only after uninstalling Ask Toolbar:
    C:\Program Files\AskBar
    c:\program files\askbardis

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.

  3. Tell me how is the computer running and if you have any question before we round off the next post.


#9 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:05:15 PM

Posted 09 January 2010 - 01:00 PM

farbar,
Thank you soooooooo much.
Ask Toolbar is gone, as well as Java. We'll update Java the next time we need to use it. smile.gif
We're working on the laptop now and will be all day, so we should have some feedback by tonight!

Also - we'd like to make a donation to BC... do you have a link for that?

Thanks again -- you are the best!!!!
hug.gif
Juli

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:15 AM

Posted 09 January 2010 - 01:35 PM

You are most welcome Juli and thanks for your kind words and your appreciation. smile.gif

The donation to my personal account is this page, the site itself has no donation possibilities.

I'll wait for your feedback. But we need to uninstall ComboFix.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Let me know how the things are.

#11 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:05:15 PM

Posted 09 January 2010 - 01:47 PM

farbar,
Thanks again - made a little donation to your paypal account. Not a big deal, but just a little something to say THANK YOU for your help with everything!
Off to uninstall CF.
I'll send you an update later to let you know how it's running.
smile.gif
Juli

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:15 AM

Posted 09 January 2010 - 01:54 PM

Thank you for the donation Juli. smile.gif

Take you time and let me know how the computer is running.

#13 coprimadonna

coprimadonna
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:05:15 PM

Posted 13 January 2010 - 10:23 PM

Everything is working great, farbar... thanks again SOOO much for your help!
We seem to be in the clear and the computer is working perfectly as of now (knock on wood...lol)!!!
I'll let you know if anything happens... take care! smile.gif
xoxo

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:15 AM

Posted 14 January 2010 - 02:20 AM

Thanks for letting me know, glad everything is fine.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

You take care too Juli. smile.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users