Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I can't figure out what i have


  • This topic is locked This topic is locked
24 replies to this topic

#1 jhitt81

jhitt81

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 22 March 2010 - 09:39 PM

I had koobface on the computer and i believe i removed that. I'm now having a problem with my web browser being hijacked but i can't figure out what is doing it. I haven't ran a rootkit program because i don't know what stuff is o.k. and what stuff should be deleted. I have tried running rkill before installing and running Malwarebytes' and spydoctor but neither would let me update(i know the computer is connected). I also have tried changing the names of the programs before running them.
Also i am typing this and downloading the files to a clean computer than burning them to a dvd to transfer. Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 jhitt81

jhitt81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 22 March 2010 - 10:17 PM

O.k. so i just read the pin-up and i'm trying to figure out how to get the information you guys want. I can't get IE to come to this or any websites i want. If you have any ideas or advice i would appreciate it. I have all the programs you wanted on a disk but i don't want to copy stuff to this computer so it doesn't get infected.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 23 March 2010 - 07:47 AM

Hello, I understand your concern for copying those logs.

Please use Flash Disinfector to keep your clean computer safe and post me the logs.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 jhitt81

jhitt81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 23 March 2010 - 01:16 PM

I'm having problems with gmer but i will have dds uploaded shortly.

#5 jhitt81

jhitt81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 23 March 2010 - 01:21 PM

Does flash disinfector work with windows 7 64 bit?


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 23 March 2010 - 02:21 PM

Yes it should work fine.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 jhitt81

jhitt81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 23 March 2010 - 06:10 PM

O.k here is the dds file. I could not get Gmer to work twice i had a critical error and the time it finished it froze before i could save the results.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Patty Simpson at 9:15:57.35 on Tue 03/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.570 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe -k captcha
C:\WINDOWS\system32\svchost.exe -k tapisrvs
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Patty Simpson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mg3.mail.yahoo.com/dc/launch?.gx=1&.rand=3asm5mur0rj7h
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080216
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233418191546
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-22 217032]
R1 apto6ko;Session Handler Context Windows Channel;c:\windows\system32\drivers\imapioko.sys [2008-2-17 32768]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-21 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-21 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-22 112592]
R2 captcha;captcha;c:\windows\system32\svchost.exe -k captcha [2004-8-10 14336]
R2 cpqoko6;Slip Extension kbd System NetBIOS Publishing ICC Extractor;c:\windows\system32\svchost.exe -k tapisrvs [2004-8-10 14336]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-3-22 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-3-22 1142224]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]

=============== Created Last 30 ================

2010-03-23 04:06:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 04:06:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 02:09:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 01:54:43 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-23 01:54:43 879 ----a-w- c:\windows\RegISSImport.xml
2010-03-23 01:54:43 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-23 01:54:43 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-23 01:54:43 131 ----a-w- c:\windows\IDB.zip
2010-03-23 01:54:42 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-23 01:54:42 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-23 01:54:42 1152444 ----a-w- c:\windows\UDB.zip
2010-03-23 01:53:27 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-23 01:53:27 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-23 01:53:23 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-23 01:53:23 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-23 01:53:23 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-23 01:53:23 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-23 01:53:13 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-23 01:53:13 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-23 01:52:51 0 d-----w- c:\program files\Spyware Doctor
2010-03-23 01:52:51 0 d-----w- c:\program files\common files\PC Tools
2010-03-23 01:52:51 0 d-----w- c:\docume~1\pattys~1\applic~1\PC Tools
2010-03-23 01:52:51 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-03-22 04:24:30 0 d-----w- C:\test
2010-03-22 02:06:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-22 00:07:07 0 d-----w- c:\docume~1\pattys~1\applic~1\Malwarebytes
2010-03-22 00:06:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-21 23:41:04 0 d-----w- c:\windows\pss
2010-03-21 13:26:18 1 ----a-w- c:\windows\lgo
2010-03-21 13:26:03 18944 ----a-w- c:\windows\system32\captcha.dll
2010-03-21 13:20:29 1 ----a-w- c:\windows\ligh
2010-03-21 13:20:25 65536 ---h--w- c:\windows\bill104.exe
2010-03-11 01:04:30 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 18:25:42 23088 ----a-w- c:\windows\hpqins15.dat

==================== Find3M ====================

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2008-02-16 22:50:18 76 --sh--r- c:\windows\CT4CET.bin
2008-07-25 13:28:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072520080726\index.dat

============= FINISH: 9:16:58.12 ===============


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 24 March 2010 - 04:52 AM

Hello, please follow the steps below.

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools



  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.





  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 jhitt81

jhitt81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 24 March 2010 - 01:45 PM

It wouldn't install the windows recovery console but it did run combofix. It got to "deleting files" 8 files but then stopped. It is now at that screen with a cursor blinking under the last line.

#10 jhitt81

jhitt81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 24 March 2010 - 02:21 PM

Never mind that last post. Here is the log you wanted. Also i am doing this on the problem computer which is definitly a step in the right direction. I'm going to go ahead and turn avast back on.

ComboFix 10-03-22.02 - 03/24/2010 12:31:18.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.560 [GMT -6:00]
Running from: c:\documents and settings\Patty Simpson\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Patty Simpson\Local Settings\Application Data\010112010146111103.xxe
c:\windows\bill104.exe
c:\windows\lgo
c:\windows\ligh
c:\windows\system32\AutoRun.inf
c:\windows\system32\captcha.dll
c:\windows\system32\drivers\imapioko.sys
c:\windows\system32\erokosvc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APTO6KO
-------\Legacy_CAPTCHA
-------\Legacy_CPQOKO6
-------\Service_apto6ko
-------\Service_captcha
-------\Service_cpqoko6


((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-23 18:32 . 2010-03-24 02:29 -------- d-----w- C:\pics4a
2010-03-23 18:32 . 2010-03-24 01:50 -------- d-----w- C:\pics3
2010-03-23 18:31 . 2010-03-24 00:29 -------- d-----w- C:\pics2
2010-03-23 18:31 . 2010-03-23 18:46 -------- d-----w- C:\pics1
2010-03-23 04:06 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 04:06 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 03:29 . 2010-03-23 03:29 -------- d-----w- c:\documents and settings\Patty Simpson\Local Settings\Application Data\Threat Expert
2010-03-23 02:09 . 2010-03-23 04:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 01:52 . 2010-03-23 15:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-22 17:37 . 2010-03-22 17:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-22 17:35 . 2010-03-22 17:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-22 04:24 . 2010-03-22 04:25 -------- d-----w- C:\test
2010-03-22 02:06 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-22 02:06 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-22 02:06 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-22 02:06 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-22 02:06 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-22 02:06 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-22 02:06 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-22 02:06 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-22 02:06 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-22 02:06 . 2010-03-22 02:06 -------- d-----w- c:\program files\Alwil Software
2010-03-22 02:06 . 2010-03-22 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-22 00:07 . 2010-03-23 03:59 -------- d-----w- c:\documents and settings\Patty Simpson\Application Data\Malwarebytes
2010-03-22 00:06 . 2010-03-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-21 23:48 . 2010-03-21 23:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-11 01:04 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 22:05 . 2010-03-23 18:20 -------- d-----w- c:\documents and settings\Patty Simpson\Application Data\HPAppData
2010-03-06 18:25 . 2010-03-06 18:27 23088 ----a-w- c:\windows\hpqins15.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 13:10 . 2009-10-07 00:38 -------- d-----w- c:\documents and settings\Patty Simpson\Application Data\HpUpdate
2010-03-20 13:50 . 2008-02-26 15:30 -------- d-----w- c:\program files\Microsoft Money Plus
2010-03-11 02:07 . 2008-02-16 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 18:26 . 2008-05-02 14:50 -------- d-----w- c:\program files\HP
2010-02-19 14:33 . 2010-02-19 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-19 14:33 . 2010-02-19 14:33 -------- d-----w- c:\program files\Yahoo!
2010-02-19 14:33 . 2010-02-19 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-02-19 14:33 . 2010-02-19 14:33 -------- d-----w- c:\documents and settings\Patty Simpson\Application Data\Yahoo!
2010-02-04 16:26 . 2010-02-04 16:25 -------- d-----w- c:\program files\iTunes
2010-02-04 16:25 . 2010-02-04 16:25 -------- d-----w- c:\program files\iPod
2010-02-04 16:25 . 2008-05-05 17:14 -------- d-----w- c:\program files\Common Files\Apple
2010-02-04 16:17 . 2010-02-04 16:17 -------- d-----w- c:\program files\QuickTime
2010-02-04 15:40 . 2010-02-04 15:40 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-04 14:41 . 2008-07-14 22:16 -------- d-----w- c:\program files\Safari
2010-02-04 14:00 . 2010-02-04 14:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-01-31 14:04 . 2008-02-16 23:08 -------- d-----w- c:\program files\Google
2009-12-31 16:50 . 2004-08-10 18:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2008-02-16 22:50 . 2008-02-16 22:50 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Patty Simpson^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\Patty Simpson\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Patty Simpson^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Patty Simpson\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 21:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-12-11 19:22 2183168 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-07-03 19:57 1228800 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 22:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 16:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-10 00:57 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 13:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-10 03:58 162328 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-10 03:58 137752 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 17:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 17:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 02:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain]
2006-11-02 20:05 282624 ----a-w- c:\windows\system32\KADxMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-08-28 20:54 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 21:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-10 03:58 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 06:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 17:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-07-10 04:03 405504 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-02-16 23:08 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-07-10 04:21 851968 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:OKOToGate

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/21/2010 8:06 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/21/2010 8:06 PM 19024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
tapisrvs REG_MULTI_SZ cpqoko6

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 14:04]

2010-03-24 c:\windows\Tasks\User_Feed_Synchronization-{86FCC261-0418-4AE0-BC94-F016AA3E7D9B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mg3.mail.yahoo.com/dc/launch?.gx=1&.rand=3asm5mur0rj7h
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080216
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-OE_OEM - c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 14\pccguide.exe
MSConfigStartUp-sysfbtray - c:\windows\bill104.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 13:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-24 13:10:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-24 19:10

Pre-Run: 61,946,105,856 bytes free
Post-Run: 62,154,846,208 bytes free

- - End Of File - - 409C91FB470E0B0A00B86FB0F3DECFD8


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 24 March 2010 - 03:34 PM

Please let me know what happened when you tried to install the Recovery Console.
Did you try to drag/drop the downloaded package onto Combofix.exe as instructed?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 jhitt81

jhitt81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 24 March 2010 - 04:06 PM

No i read that after i started it. It just said "could not install recovery console abort and continue combofix" "yes or No" i clicked yes.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 24 March 2010 - 04:18 PM

Can you please try to install the Recovery Console the way I instructed and post me the new Combofix log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 jhitt81

jhitt81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 24 March 2010 - 04:25 PM

I'm doing it now. Can i ask why( i'm just trying to learn)?

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 24 March 2010 - 04:33 PM

Yes of course smile.gif

I think the reason why we want the Recovery Console installed is pretty much explained in the previous post.

Normally Combofix downloads the Recovery Console, but since your internet isn't working properly, Combofix was not able to do so. Therefore I asked you to separately download the installation package. Dragging and dropping this onto combofix.exe will cause the Recovery Console being installed without an internet connection is needed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users