Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore and Internet blocked


  • This topic is locked This topic is locked
8 replies to this topic

#1 Zoidberg

Zoidberg

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:19 AM

Posted 29 May 2010 - 06:30 PM

I started getting faked Antispyware soft pop ups, that told me something was infected and I couldn't open any programs. After restarting the computer I started the TASK Manager as fast as I could and was able to stop some of it so that I could at least run scans. They were able to remove a whole bunch of problems, but I'm stuck following problems:
Internet doesn't work on my normal account, only when I log in as guest.
The windows Firewall is turned off and can't be turned on.
Once a blue screen appeared with a missing .dll file


I am using windows xp home edition. I have been running MBAM, Antivira AntiVir, SUPERAntiSpyware and Spybot Search&Destroy.

Here is the DDS log, i can't save the gmer log, the scan runs fine, but when i'm attempting so save it, the computer gets extremly slow and gmer freezes.

EDIT: At the third try I could save the GMER log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:50:52.01 on Sat 05/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.521 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Owner\Desktop\RRT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [WinSysCheck] WinSysCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [System32DOS] System32DOS.exe
mRun: [System32Check] System32Check.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
mRun: [Scan32Sys] Scan32Sys.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [CDPreLoader] CDPreLoader.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RRT-Auto] c:\documents and settings\owner\desktop\RRT.exe auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &Search
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241285237750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241285229671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-4 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-4 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-4 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-4 60936]
S0 fzizu;fzizu; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S2 jejenp;Installer Manager;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [2009-7-23 6528]

=============== Created Last 30 ================

2010-05-29 04:01:48 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-05-29 04:01:48 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-29 04:01:42 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-27 21:22:27 226 ----a-w- c:\windows\wininit.ini
2010-05-27 11:39:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 11:39:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-27 03:41:47 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-05-27 03:41:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 03:41:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 03:41:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-27 03:41:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 03:23:36 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-05-27 03:23:36 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-05-27 03:23:36 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-05-27 03:23:36 16244 ----a-w- c:\windows\system32\rrt_is.wav
2010-05-27 01:22:14 0 d-----w- c:\program files\Eusing Free Registry Cleaner
2010-05-27 01:01:57 0 d-----w- c:\windows\pss

==================== Find3M ====================


============= FINISH: 14:52:31.65 ===============

Attached Files


Edited by Zoidberg, 29 May 2010 - 10:10 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:19 AM

Posted 31 May 2010 - 08:59 AM

Hi Zoidberg,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. To restore IE connection log in with your normal account, the one with internet connection problem.
    Go to Start => Control Panel => Internet Options => click the "Connections" tab => Delete the numbers in the Address and Port box then uncheck "Use a Proxy server for your LAN". Click OK. See if the connection is restored.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 Zoidberg

Zoidberg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:19 AM

Posted 31 May 2010 - 11:56 PM

I really appreciate your help. Internet works fine again.

Here is the Combofix log:
ComboFix 10-05-31.02 - Owner 05/31/2010 23:38:38.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.590 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\020000002ac3776e922C.manifest
c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\020000002ac3776e922O.manifest
c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\020000002ac3776e922P.manifest
c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\020000002ac3776e922S.manifest
c:\documents and settings\Owner\Application Data\020000002ac3776e922C.manifest
c:\documents and settings\Owner\Application Data\020000002ac3776e922O.manifest
c:\documents and settings\Owner\Application Data\020000002ac3776e922P.manifest
c:\documents and settings\Owner\Application Data\020000002ac3776e922S.manifest
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Sam\Application Data\020000002ac3776e922C.manifest
c:\documents and settings\Sam\Application Data\020000002ac3776e922O.manifest
c:\documents and settings\Sam\Application Data\020000002ac3776e922P.manifest
c:\documents and settings\Sam\Application Data\020000002ac3776e922S.manifest
C:\feed.txt
c:\windows\system32\hlp.dat
c:\windows\system32\st325602.dll
c:\windows\system32\Vb40032.dll

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2010-05-29 05:33 . 2010-05-29 05:33 -------- d-----w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com
2010-05-29 04:01 . 2010-05-29 04:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-05-29 04:01 . 2010-05-29 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-29 04:01 . 2010-05-29 04:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-28 21:23 . 2010-05-28 21:23 -------- d-----w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\SUPERAntiSpyware.com
2010-05-28 03:49 . 2010-05-28 03:49 -------- d-----w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\Malwarebytes
2010-05-27 11:44 . 2010-05-27 11:44 -------- d-----w- c:\documents and settings\Sam\Application Data\Avira
2010-05-27 11:39 . 2010-05-27 11:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 11:39 . 2010-05-27 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-27 03:41 . 2010-05-27 03:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-05-27 03:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 03:41 . 2010-05-27 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-27 03:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 03:41 . 2010-05-27 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 03:08 . 2010-05-27 03:08 46832 ----a-w- c:\documents and settings\Administrator.SAMSLAPTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-27 01:22 . 2010-05-27 01:24 -------- d-----w- c:\program files\Eusing Free Registry Cleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 04:47 . 2009-06-11 16:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Orbit
2010-05-31 21:03 . 2009-07-02 04:07 -------- d-----w- c:\documents and settings\Sam\Application Data\Orbit
2010-05-29 16:36 . 2010-05-29 05:34 63488 ----a-w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-29 16:36 . 2010-05-29 05:34 117760 ----a-w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-29 05:34 . 2010-05-29 05:34 52224 ----a-w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-29 04:02 . 2010-05-29 04:02 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-29 04:02 . 2010-05-29 04:02 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-29 04:01 . 2010-05-29 04:01 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 21:24 . 2010-05-28 21:24 63488 ----a-w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-28 21:24 . 2010-05-28 21:24 52224 ----a-w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-28 21:24 . 2010-05-28 21:24 117760 ----a-w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-27 02:51 . 2009-07-15 16:19 46832 ----a-w- c:\documents and settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 03:10 . 2009-05-02 16:23 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-16 21:23 . 2009-05-02 17:49 46832 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 01:32 . 2010-04-08 01:32 -------- d-----w- c:\program files\MSECache
2010-04-05 01:27 . 2010-04-05 01:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-04-05 01:21 . 2010-03-10 01:19 -------- d-----w- c:\program files\Bonjour
2010-04-05 01:20 . 2010-03-10 01:17 -------- d-----w- c:\program files\Apple Software Update
2010-04-05 01:20 . 2010-03-10 01:18 -------- d-----w- c:\program files\QuickTime
2010-04-05 01:20 . 2010-03-10 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-05 01:20 . 2010-03-10 01:19 -------- d-----w- c:\program files\iPod
2010-04-05 01:20 . 2010-03-10 01:19 -------- d-----w- c:\program files\iTunes
2010-04-05 01:19 . 2010-03-10 01:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-04-05 01:19 . 2010-03-17 15:57 -------- d-----w- c:\program files\Blinkx
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-25 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-22 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 137752]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162328]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RRT-Auto"="c:\documents and settings\Owner\Desktop\RRT.exe" [2010-05-27 1745920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-13 113664]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-6-11 1719496]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-5-23 819200]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3370:TCP"= 3370:TCP:dhhlqb

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/4/2010 8:23 PM 135336]
S0 fzizu;fzizu; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 7:49 AM 135664]
S2 jejenp;Installer Manager;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [7/23/2009 2:07 PM 6528]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jejenp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 12:49]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 12:49]

2010-02-12 c:\windows\Tasks\Install_NSS.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-02-11 23:56]

2010-01-18 c:\windows\Tasks\SyncToy 2.job
- c:\program files\SyncToy 2.1\SyncToy.exe [2009-10-19 08:58]

2010-06-01 c:\windows\Tasks\User_Feed_Synchronization-{DCBEA852-84B6-4376-ACE7-F12EBB568DA3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant =
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinSysCheck - WinSysCheck.exe
HKLM-Run-System32DOS - System32DOS.exe
HKLM-Run-System32Check - System32Check.exe
HKLM-Run-Scan32Sys - Scan32Sys.exe
HKLM-Run-CDPreLoader - CDPreLoader.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Nancy Drew Dossier - Lights, Camera, Curses! - c:\program files\Yahoo! Games\Nancy Drew Dossier - Lights



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-31 23:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl.ini 3824 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\jejenp]
"ServiceDll"="c:\windows\system32\kapplfzp.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\brss01a.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Orbitdownloader\orbitnet.exe
.
**************************************************************************
.
Completion time: 2010-05-31 23:52:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-01 04:52

Pre-Run: 41,914,900,480 bytes free
Post-Run: 41,994,559,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - B434FBEDEF8618F73C94C78FA43ED4B7


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:19 AM

Posted 01 June 2010 - 10:09 AM

If ComboFix notified you that it needs to update or upload files while it runs please let it be done.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/320210/system-restore-and-internet-blocked/

Collect::
c:\windows\system32\kapplfzp.dll
Driver::
jejenp
fzizu
NetSvc::
jejenp
Registry::
[-HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3370:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\jejenp]
FCopy::
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.



#5 Zoidberg

Zoidberg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:19 AM

Posted 01 June 2010 - 12:27 PM

ComboFix 10-06-01.01 - Owner 06/01/2010 12:12:28.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.653 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FZIZU
-------\Legacy_JEJENP
-------\Service_fzizu
-------\Service_jejenp


((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2010-05-29 05:34 . 2010-05-29 16:36 63488 ----a-w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-29 05:34 . 2010-05-29 05:34 52224 ----a-w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-29 05:34 . 2010-05-29 16:36 117760 ----a-w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-29 05:33 . 2010-05-29 05:33 -------- d-----w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com
2010-05-29 04:02 . 2010-05-29 04:02 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-29 04:02 . 2010-05-29 04:02 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-29 04:01 . 2010-05-29 04:01 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-29 04:01 . 2010-05-29 04:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-05-29 04:01 . 2010-05-29 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-29 04:01 . 2010-05-29 04:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-28 21:24 . 2010-05-28 21:24 63488 ----a-w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-28 21:24 . 2010-05-28 21:24 52224 ----a-w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-28 21:24 . 2010-05-28 21:24 117760 ----a-w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 21:23 . 2010-05-28 21:23 -------- d-----w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\SUPERAntiSpyware.com
2010-05-28 03:49 . 2010-05-28 03:49 -------- d-----w- c:\documents and settings\Administrator.SAMSLAPTOP\Application Data\Malwarebytes
2010-05-27 11:44 . 2010-05-27 11:44 -------- d-----w- c:\documents and settings\Sam\Application Data\Avira
2010-05-27 11:39 . 2010-05-27 11:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 11:39 . 2010-05-27 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-27 03:41 . 2010-05-27 03:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-05-27 03:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 03:41 . 2010-05-27 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-27 03:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 03:41 . 2010-05-27 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 03:08 . 2010-05-27 03:08 46832 ----a-w- c:\documents and settings\Administrator.SAMSLAPTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-27 01:22 . 2010-05-27 01:24 -------- d-----w- c:\program files\Eusing Free Registry Cleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 17:21 . 2009-06-11 16:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Orbit
2010-05-31 21:03 . 2009-07-02 04:07 -------- d-----w- c:\documents and settings\Sam\Application Data\Orbit
2010-05-27 02:51 . 2009-07-15 16:19 46832 ----a-w- c:\documents and settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 03:10 . 2009-05-02 16:23 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-16 21:23 . 2009-05-02 17:49 46832 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 01:32 . 2010-04-08 01:32 -------- d-----w- c:\program files\MSECache
2010-04-05 01:27 . 2010-04-05 01:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-04-05 01:21 . 2010-03-10 01:19 -------- d-----w- c:\program files\Bonjour
2010-04-05 01:20 . 2010-03-10 01:17 -------- d-----w- c:\program files\Apple Software Update
2010-04-05 01:20 . 2010-03-10 01:18 -------- d-----w- c:\program files\QuickTime
2010-04-05 01:20 . 2010-03-10 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-05 01:20 . 2010-03-10 01:19 -------- d-----w- c:\program files\iPod
2010-04-05 01:20 . 2010-03-10 01:19 -------- d-----w- c:\program files\iTunes
2010-04-05 01:19 . 2010-03-10 01:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-04-05 01:19 . 2010-03-17 15:57 -------- d-----w- c:\program files\Blinkx
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-25 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-22 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 137752]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162328]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RRT-Auto"="c:\documents and settings\Owner\Desktop\RRT.exe" [2010-05-27 1745920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-13 113664]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-6-11 1719496]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-5-23 819200]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/4/2010 8:23 PM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 7:49 AM 135664]
S3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [7/23/2009 2:07 PM 6528]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 12:49]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 12:49]

2010-02-12 c:\windows\Tasks\Install_NSS.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-02-11 23:56]

2010-01-18 c:\windows\Tasks\SyncToy 2.job
- c:\program files\SyncToy 2.1\SyncToy.exe [2009-10-19 08:58]

2010-06-01 c:\windows\Tasks\User_Feed_Synchronization-{DCBEA852-84B6-4376-ACE7-F12EBB568DA3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = <local>
uSearchAssistant =
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'explorer.exe'(3956)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\windows\system32\brss01a.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Orbitdownloader\orbitnet.exe
.
**************************************************************************
.
Completion time: 2010-06-01 12:24:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-01 17:24
ComboFix2.txt 2010-06-01 04:52

Pre-Run: 41,753,989,120 bytes free
Post-Run: 41,585,897,472 bytes free

- - End Of File - - 05EC41ABB97E7778F91977D874AA2F3A


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:19 AM

Posted 01 June 2010 - 02:14 PM

The active malware is taken care of. Let's have a full scan for any inactive leftover.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push

  3. Tell me also how is your computer running.


#7 Zoidberg

Zoidberg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:19 AM

Posted 01 June 2010 - 03:57 PM

ESET Scan:
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\tcpip.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined
C:\System Volume Information\_restore{2849AEF9-3271-4EA2-BAAA-A0E4E72DB98B}\RP3\A0009265.sys Win32/Olmarik.ZC trojan cleaned - quarantined

The computer is running fine and nothing unusual happened.

A really big THANK YOU.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:19 AM

Posted 01 June 2010 - 04:20 PM

You are most welcome. smile.gif

ESET found actually nothing. The first file is in the quarantine folder of ComboFix and the second one is in the system restore we will purge always at the end.

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You may remove any other tool or log we used from your computer.

Happy Surfing Zoidberg. smile.gif



#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:19 AM

Posted 08 June 2010 - 02:51 PM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users