Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Agent Detected


  • This topic is locked This topic is locked
32 replies to this topic

#1 cheryllb

cheryllb

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 07 June 2010 - 05:33 PM

Hi, as in the topic/description, I have a rootkit.agent on my computer in C:\Windows\System32\drivers\wxupt.sys. I found it using Malwarebytes. It tells me when I reboot, it should be removed but it's still there and still giving me the blue screen of death sad.gif .

I have the DDS log here and the GMER log attached. I would appreciate any help!! Thanks!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Cheryl at 15:22:12.98 on Mon 06/07/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_11
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.805 [GMT -5:00]

AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
SP: Avira AntiVir PersonalEdition *enabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast5\avastui.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Cheryl\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\RapidBIT\cidaemon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Cheryl\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
dRun: [mplay32xe.exe] c:\windows\temp\mplay32xe.exe
dRun: [YVIBBBHA8C] c:\windows\temp\Hkj.exe
StartupFolder: c:\users\cheryl\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\cheryl\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: adecco.com\*.xpert
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} - hxxp://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: acaptuser32.dll
LSA: Notification Packages = scecli ASWLNPkg
Hosts: 65.54.239.80 dp.msnmessenger.akadns.net

================= FIREFOX ===================

FF - ProfilePath - c:\users\cheryl\appdata\roaming\mozilla\firefox\profiles\olf3sehj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\cheryl\appdata\roaming\mozilla\firefox\profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\cheryl\appdata\roaming\mozilla\firefox\profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\cheryl\appdata\roaming\mozilla\firefox\profiles\olf3sehj.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\cheryl\appdata\roaming\mozilla\firefox\profiles\olf3sehj.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-8 162640]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2009-7-13 20992]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2009-7-13 20992]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-8 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-8 51792]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-10 38224]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-8 40384]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-8 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-8 40384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-3-21 227896]

=============== Created Last 30 ================

2010-06-07 17:50:02 608 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-07 17:28:41 65536 --sha-w- c:\users\cheryl\ntuser.dat{05710494-725a-11df-aa68-0016d3f5b00f}.TM.blf
2010-06-07 17:28:41 524288 --sha-w- c:\users\cheryl\ntuser.dat{05710494-725a-11df-aa68-0016d3f5b00f}.TMContainer00000000000000000002.regtrans-ms
2010-06-07 17:28:41 524288 --sha-w- c:\users\cheryl\ntuser.dat{05710494-725a-11df-aa68-0016d3f5b00f}.TMContainer00000000000000000001.regtrans-ms
2010-06-07 17:25:52 65536 --sha-w- c:\users\cheryl\ntuser.dat{9bba74e0-7259-11df-a940-001a6bf77243}.TM.blf
2010-06-07 17:25:52 524288 --sha-w- c:\users\cheryl\ntuser.dat{9bba74e0-7259-11df-a940-001a6bf77243}.TMContainer00000000000000000002.regtrans-ms
2010-06-07 17:25:52 524288 --sha-w- c:\users\cheryl\ntuser.dat{9bba74e0-7259-11df-a940-001a6bf77243}.TMContainer00000000000000000001.regtrans-ms
2010-06-07 16:48:32 65536 --sha-w- c:\users\cheryl\ntuser.dat{6195e19d-7254-11df-8190-001a6bf77243}.TM.blf
2010-06-07 16:48:32 524288 --sha-w- c:\users\cheryl\ntuser.dat{6195e19d-7254-11df-8190-001a6bf77243}.TMContainer00000000000000000002.regtrans-ms
2010-06-07 16:48:32 524288 --sha-w- c:\users\cheryl\ntuser.dat{6195e19d-7254-11df-8190-001a6bf77243}.TMContainer00000000000000000001.regtrans-ms
2010-06-07 16:43:47 65536 --sha-w- c:\users\cheryl\ntuser.dat{b4bdc5ff-7253-11df-a192-001a6bf77243}.TM.blf
2010-06-07 16:43:47 524288 --sha-w- c:\users\cheryl\ntuser.dat{b4bdc5ff-7253-11df-a192-001a6bf77243}.TMContainer00000000000000000002.regtrans-ms
2010-06-07 16:43:47 524288 --sha-w- c:\users\cheryl\ntuser.dat{b4bdc5ff-7253-11df-a192-001a6bf77243}.TMContainer00000000000000000001.regtrans-ms
2010-06-01 02:46:54 65536 --sha-w- c:\users\cheryl\ntuser.dat{d389fd01-6d27-11df-801b-001a6bf77243}.TM.blf
2010-06-01 02:46:54 524288 --sha-w- c:\users\cheryl\ntuser.dat{d389fd01-6d27-11df-801b-001a6bf77243}.TMContainer00000000000000000002.regtrans-ms
2010-06-01 02:46:54 524288 --sha-w- c:\users\cheryl\ntuser.dat{d389fd01-6d27-11df-801b-001a6bf77243}.TMContainer00000000000000000001.regtrans-ms
2010-05-25 20:33:40 65536 --sha-w- c:\users\cheryl\ntuser.dat{8085e681-680b-11df-8269-001a6bf77243}.TM.blf
2010-05-25 20:33:40 524288 --sha-w- c:\users\cheryl\ntuser.dat{8085e681-680b-11df-8269-001a6bf77243}.TMContainer00000000000000000002.regtrans-ms
2010-05-25 20:33:40 524288 --sha-w- c:\users\cheryl\ntuser.dat{8085e681-680b-11df-8269-001a6bf77243}.TMContainer00000000000000000001.regtrans-ms
2010-05-25 13:50:51 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-21 15:54:22 65536 --sha-w- c:\users\cheryl\ntuser.dat{fc0c76d3-64f0-11df-834a-bf2121d92c8a}.TM.blf
2010-05-21 15:54:22 524288 --sha-w- c:\users\cheryl\ntuser.dat{fc0c76d3-64f0-11df-834a-bf2121d92c8a}.TMContainer00000000000000000002.regtrans-ms
2010-05-21 15:54:22 524288 --sha-w- c:\users\cheryl\ntuser.dat{fc0c76d3-64f0-11df-834a-bf2121d92c8a}.TMContainer00000000000000000001.regtrans-ms
2010-05-21 15:50:49 65536 --sha-w- c:\users\cheryl\ntuser.dat{38f01980-64f0-11df-96a3-001a6bf77243}.TM.blf
2010-05-21 15:50:49 524288 --sha-w- c:\users\cheryl\ntuser.dat{38f01980-64f0-11df-96a3-001a6bf77243}.TMContainer00000000000000000002.regtrans-ms
2010-05-21 15:50:49 524288 --sha-w- c:\users\cheryl\ntuser.dat{38f01980-64f0-11df-96a3-001a6bf77243}.TMContainer00000000000000000001.regtrans-ms
2010-05-21 15:48:23 250007522 ----a-w- c:\windows\MEMORY.DMP
2010-05-20 20:35:56 0 d-----w- c:\program files\IHSDM_2009_CPM
2010-05-20 01:02:19 0 d-----w- C:\AVATAR
2010-05-20 00:57:58 0 d-----w- C:\IDEALDVDCOPY_TEMP
2010-05-15 20:47:15 0 d-----w- c:\program files\Amazing Adventures The Caribbean Secret
2010-05-08 20:38:38 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

==================== Find3M ====================

2010-06-07 20:22:36 823808 ----a-w- c:\windows\system32\drivers\wxupt.sys
2010-04-29 18:04:49 3664 ------w- C:\bootsqm.dat
2010-04-08 19:56:46 1170 ----a-w- c:\programdata\_VOIDmfeklnmal.dll
2010-03-21 21:03:37 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 15:23:55.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 PM

Posted 10 June 2010 - 05:44 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Can I see the MBAM log showing the infection? It's in the Logs tab on the MBAM control panel itself.
Posted Image
m0le is a proud member of UNITE

#3 cheryllb

cheryllb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 10 June 2010 - 10:20 PM

Thanks so much for helping me, m0le!
Here's the MBAM log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3975

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/21/2010 3:07:04 PM
mbam-log-2010-05-21 (15-07-04).txt

Scan type: Quick scan
Objects scanned: 117296
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\wxupt.sys (Rootkit.Agent) -> Delete on reboot.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 PM

Posted 11 June 2010 - 07:50 PM

Let's run Combofix and remove this rootkit

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 cheryllb

cheryllb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 13 June 2010 - 01:01 AM

I tried to disable Avira and Threatfire but honestly could not even find them running anywhere on my computer (no icons by the time/date stamp, nothing in Task Manager, control panel/programs & features, or program files??).. when I tried to X out of ComboFix it still continued to run. This is the log I got:

ComboFix 10-06-12.03 - Cheryl 06/13/2010 0:14.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.983 [GMT -5:00]
Running from: c:\users\Cheryl\Desktop\ComboFix.exe
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
SP: Avira AntiVir PersonalEdition *enabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\npclntax.xpt
c:\programdata\_VOIDmfeklnmal.dll
c:\users\Cheryl\AppData\Roaming\inst.exe
c:\windows\jestertb.dll
c:\windows\system32\drivers\cqffaef.sys
c:\windows\system32\rundll32.exe.delme223
c:\windows\system32\system

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_mnnmcpm


((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))
.

2010-06-13 05:32 . 2010-06-13 05:32 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-13 05:32 . 2010-06-13 05:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-09 14:36 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 14:36 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 14:36 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 14:36 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 14:36 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-07 17:58 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-06-07 17:58 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-06-07 17:58 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-06-07 17:58 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-07 17:57 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-07 17:57 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-07 17:57 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-06-07 17:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-07 17:56 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-07 17:55 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-07 17:55 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-07 17:55 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-25 13:50 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 20:35 . 2010-05-21 18:19 -------- d-----w- c:\program files\IHSDM_2009_CPM
2010-05-20 01:02 . 2010-05-20 01:02 -------- d-----w- C:\AVATAR
2010-05-20 00:57 . 2010-05-20 03:47 -------- d-----w- C:\IDEALDVDCOPY_TEMP
2010-05-15 20:47 . 2010-05-21 18:19 -------- d-----w- c:\program files\Amazing Adventures The Caribbean Secret

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 05:44 . 2010-04-08 18:50 823808 ----a-w- c:\windows\system32\drivers\wxupt.sys
2010-06-13 05:42 . 2009-12-23 19:50 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Dropbox
2010-06-13 05:41 . 2010-04-08 20:18 -------- d-----w- c:\programdata\STOPzilla!
2010-06-13 05:41 . 2010-06-13 05:41 823808 ----a-w- c:\windows\system32\drivers\0e7e0ef5d27563b583de29d368149454.szcpf
2010-06-12 04:48 . 2008-11-03 00:03 -------- d-----w- c:\programdata\Google Updater
2010-06-10 21:04 . 2008-07-31 13:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 21:01 . 2007-10-20 20:24 -------- d-----w- c:\users\Cheryl\AppData\Roaming\LimeWire
2010-06-10 15:10 . 2007-08-18 07:10 -------- d-----w- c:\programdata\Microsoft Help
2010-06-07 20:23 . 2009-06-03 02:59 -------- d-----w- c:\program files\QuickTime
2010-06-07 20:23 . 2010-03-21 22:26 -------- d-----w- c:\program files\iTunes
2010-06-07 20:23 . 2007-10-20 20:24 -------- d-----w- c:\program files\LimeWire
2010-06-07 20:23 . 2009-06-03 03:02 -------- d-----w- c:\program files\Bonjour
2010-06-07 20:23 . 2009-06-03 02:57 -------- d-----w- c:\program files\Apple Software Update
2010-06-07 20:20 . 2009-09-30 17:51 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-06-07 20:19 . 2010-03-21 22:26 -------- d-----w- c:\program files\iPod
2010-06-07 20:19 . 2009-06-03 02:53 -------- d-----w- c:\program files\Common Files\Apple
2010-06-07 19:55 . 2010-05-08 20:38 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 20:48 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-21 18:46 . 2010-04-08 20:18 -------- d-----w- c:\program files\STOPzilla!
2010-05-21 18:46 . 2009-01-27 18:38 -------- d-----w- c:\programdata\FLEXnet
2010-05-21 18:46 . 2008-12-31 03:39 -------- d-----w- c:\program files\IdealDVDCopy
2010-05-21 18:46 . 2010-02-18 03:35 -------- d-----w- c:\program files\Common Files\ESRI
2010-05-21 18:46 . 2010-04-07 18:43 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-05-21 18:46 . 2010-04-07 18:34 -------- d-----w- c:\program files\ArcGIS
2010-05-21 18:45 . 2010-04-28 03:22 -------- d-----w- c:\program files\AWR
2010-05-21 18:41 . 2010-04-07 18:42 -------- d-----w- c:\program files\Leica Geosystems
2010-05-21 18:40 . 2007-10-21 01:09 -------- d-----w- c:\program files\Google
2010-05-21 18:40 . 2010-04-08 20:18 -------- d-----w- c:\program files\Common Files\iS3
2010-05-20 01:38 . 2008-06-15 00:42 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Vso
2010-05-20 01:00 . 2008-06-15 00:48 -------- d-----w- c:\programdata\DVD Shrink
2010-05-13 13:10 . 2009-06-03 03:08 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Apple Computer
2010-04-29 18:04 . 2010-04-29 18:04 3664 ------w- C:\bootsqm.dat
2010-04-24 03:01 . 2010-04-24 03:01 -------- d-----w- c:\programdata\ESRI
2010-03-30 05:46 . 2010-04-10 17:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-10 17:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 21:38 . 2010-03-21 21:38 132408 ----a-w- c:\users\Cheryl\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-21 21:03 . 2010-03-21 21:03 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-21 16:52 . 2007-10-06 17:25 836 ----a-w- c:\windows\bthservsdp.dat
2008-06-17 00:28 . 2008-06-15 00:10 24 --sha-w- c:\windows\SC1F3F802.tmp
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
CODE
<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Apoint2K\apoint .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\DAEMON Tools Pro\dtproagent .exe
c:\program files\Google\Gmail Notifier\gnotify .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\hpwamain .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\wifimsg .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP\QuickPlay\qpservice .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Yahoo!\Messenger\yahoomessenger .exe
c:\windows\System32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\users\Cheryl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Cheryl\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-07 61328]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-20 722416]
R2 FlexService;Remote Connections Service;c:\program files\RapidBIT\cisvc.exe [2009-05-17 41984]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-09 1343400]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [2009-12-07 61328]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2010-02-24 173328]
S1 aswSP;aswSP; [x]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]


--- Other Services/Drivers In Memory ---

*Deregistered* - AVGIDSDrivervtx
*Deregistered* - AVGIDSFiltervtx
*Deregistered* - AVGIDSShimvtx
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX
*Deregistered* - wxupt

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-21 03:37]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: adecco.com\*.xpert
FF - ProfilePath - c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
AddRemove-CNXT_AUDIO_HDA - c:\program files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe
AddRemove-IHSDMCPM - g:\ihsdm\IHSDM_2009_CPM\uninstall.exe
AddRemove-WT021402 - c:\program files\HP Games\Family Feud\Uninstall.exe



[HKEY_LOCAL_MACHINE\system\ControlSet001\services\wxupt]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2352)
c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Alwil Software\Avast5\avastui.exe
c:\windows\system32\conhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\RapidBIT\cidaemon.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-06-13 00:53:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-13 05:53

Pre-Run: 21,015,318,528 bytes free
Post-Run: 21,376,319,488 bytes free

- - End Of File - - 26543E4205F0E38A174BC5FF61ABDCBA


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 PM

Posted 13 June 2010 - 03:06 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RenV::
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Apoint2K\apoint .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\DAEMON Tools Pro\dtproagent .exe
c:\program files\Google\Gmail Notifier\gnotify .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\hpwamain .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\wifimsg .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP\QuickPlay\qpservice .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Yahoo!\Messenger\yahoomessenger .exe
c:\windows\System32\rundll32 .exe

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\services\wxupt]

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

Driver::
aswSP
aswFsBlk


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 cheryllb

cheryllb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 13 June 2010 - 04:12 PM

I did what you asked and here's the log. Thanks so much for helping me!

ComboFix 10-06-12.03 - Cheryl 06/13/2010 15:43:37.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1230 [GMT -5:00]
Running from: c:\users\Cheryl\Desktop\ComboFix.exe
Command switches used :: c:\users\Cheryl\Desktop\CFScript.txt
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
SP: Avira AntiVir PersonalEdition *enabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASWFSBLK
-------\Legacy_ASWSP
-------\Service_aswFsBlk
-------\Service_aswSP


((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))
.

2010-06-13 20:55 . 2010-06-13 20:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-13 20:55 . 2010-06-13 20:55 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-13 20:55 . 2010-06-13 20:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-13 20:40 . 2010-06-13 20:41 -------- d-----w- C:\32788R22FWJFW
2010-06-09 14:36 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 14:36 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 14:36 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 14:36 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 14:36 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-07 17:58 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-06-07 17:58 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-06-07 17:58 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-06-07 17:58 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-07 17:57 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-07 17:57 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-07 17:57 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-06-07 17:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-07 17:56 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-07 17:55 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-07 17:55 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-07 17:55 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-25 13:50 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 20:35 . 2010-05-21 18:19 -------- d-----w- c:\program files\IHSDM_2009_CPM
2010-05-20 01:02 . 2010-05-20 01:02 -------- d-----w- C:\AVATAR
2010-05-20 00:57 . 2010-05-20 03:47 -------- d-----w- C:\IDEALDVDCOPY_TEMP
2010-05-15 20:47 . 2010-05-21 18:19 -------- d-----w- c:\program files\Amazing Adventures The Caribbean Secret

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 21:00 . 2010-04-08 18:50 823808 ----a-w- c:\windows\system32\drivers\wxupt.sys
2010-06-13 20:58 . 2009-12-23 19:50 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Dropbox
2010-06-13 20:57 . 2010-04-08 20:18 -------- d-----w- c:\programdata\STOPzilla!
2010-06-13 20:43 . 2010-03-21 20:00 -------- d-----w- c:\program files\Apoint2K
2010-06-13 20:43 . 2009-10-20 01:25 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-06-13 05:49 . 2008-11-03 00:03 -------- d-----w- c:\programdata\Google Updater
2010-06-10 21:04 . 2008-07-31 13:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 21:01 . 2007-10-20 20:24 -------- d-----w- c:\users\Cheryl\AppData\Roaming\LimeWire
2010-06-10 15:10 . 2007-08-18 07:10 -------- d-----w- c:\programdata\Microsoft Help
2010-06-07 20:23 . 2009-06-03 02:59 -------- d-----w- c:\program files\QuickTime
2010-06-07 20:23 . 2010-03-21 22:26 -------- d-----w- c:\program files\iTunes
2010-06-07 20:23 . 2007-10-20 20:24 -------- d-----w- c:\program files\LimeWire
2010-06-07 20:23 . 2009-06-03 03:02 -------- d-----w- c:\program files\Bonjour
2010-06-07 20:23 . 2009-06-03 02:57 -------- d-----w- c:\program files\Apple Software Update
2010-06-07 20:20 . 2009-09-30 17:51 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-06-07 20:19 . 2010-03-21 22:26 -------- d-----w- c:\program files\iPod
2010-06-07 20:19 . 2009-06-03 02:53 -------- d-----w- c:\program files\Common Files\Apple
2010-06-07 19:55 . 2010-05-08 20:38 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 20:48 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-21 18:46 . 2010-04-08 20:18 -------- d-----w- c:\program files\STOPzilla!
2010-05-21 18:46 . 2009-01-27 18:38 -------- d-----w- c:\programdata\FLEXnet
2010-05-21 18:46 . 2008-12-31 03:39 -------- d-----w- c:\program files\IdealDVDCopy
2010-05-21 18:46 . 2010-02-18 03:35 -------- d-----w- c:\program files\Common Files\ESRI
2010-05-21 18:46 . 2010-04-07 18:43 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-05-21 18:46 . 2010-04-07 18:34 -------- d-----w- c:\program files\ArcGIS
2010-05-21 18:45 . 2010-04-28 03:22 -------- d-----w- c:\program files\AWR
2010-05-21 18:41 . 2010-04-07 18:42 -------- d-----w- c:\program files\Leica Geosystems
2010-05-21 18:40 . 2007-10-21 01:09 -------- d-----w- c:\program files\Google
2010-05-21 18:40 . 2010-04-08 20:18 -------- d-----w- c:\program files\Common Files\iS3
2010-05-20 01:38 . 2008-06-15 00:42 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Vso
2010-05-20 01:00 . 2008-06-15 00:48 -------- d-----w- c:\programdata\DVD Shrink
2010-05-13 13:10 . 2009-06-03 03:08 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Apple Computer
2010-04-29 18:04 . 2010-04-29 18:04 3664 ------w- C:\bootsqm.dat
2010-04-24 03:01 . 2010-04-24 03:01 -------- d-----w- c:\programdata\ESRI
2010-03-30 05:46 . 2010-04-10 17:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-10 17:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 21:38 . 2010-03-21 21:38 132408 ----a-w- c:\users\Cheryl\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-21 21:03 . 2010-03-21 21:03 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-21 16:52 . 2007-10-06 17:25 836 ----a-w- c:\windows\bthservsdp.dat
2008-06-17 00:28 . 2008-06-15 00:10 24 --sha-w- c:\windows\SC1F3F802.tmp
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
CODE
<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\QuickTime\qttask  .exe
c:\windows\System32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\users\Cheryl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Cheryl\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-07 61328]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-20 722416]
R2 FlexService;Remote Connections Service;c:\program files\RapidBIT\cisvc.exe [2009-05-17 41984]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-09 1343400]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [2009-12-07 61328]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2010-02-24 173328]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]


--- Other Services/Drivers In Memory ---

*Deregistered* - AVGIDSDrivervtx
*Deregistered* - AVGIDSFiltervtx
*Deregistered* - AVGIDSShimvtx
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX
*Deregistered* - wxupt

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-21 03:37]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: adecco.com\*.xpert
FF - ProfilePath - c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\wxupt]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3608)
c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\avastui.exe
c:\windows\system32\conhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\program files\STOPzilla!\STOPzilla.exe
c:\program files\RapidBIT\cidaemon.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-06-13 16:08:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-13 21:08
ComboFix2.txt 2010-06-13 05:53

Pre-Run: 21,427,335,168 bytes free
Post-Run: 21,138,931,712 bytes free

- - End Of File - - E40D8493C19F565ECFC3E38F0B8B5246


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 PM

Posted 13 June 2010 - 05:25 PM

You're welcome for the help. We still have a file infector active here so please rerun Combofix with the following instructions

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\QuickTime\qttask  .exe
c:\windows\System32\rundll32 .exe

File::
c:\windows\system32\drivers\wxupt.sys


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 cheryllb

cheryllb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 13 June 2010 - 06:07 PM

ok, ran it again with that code. here's the log.

ComboFix 10-06-12.03 - Cheryl 06/13/2010 17:30:12.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1031 [GMT -5:00]
Running from: c:\users\Cheryl\Desktop\ComboFix.exe
Command switches used :: c:\users\Cheryl\Desktop\CFScript.txt
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
SP: Avira AntiVir PersonalEdition *enabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}

FILE ::
"c:\windows\system32\drivers\wxupt.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\wxupt.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_wxupt
-------\Service_wxupt


((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))
.

2010-06-13 22:40 . 2010-06-13 22:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-13 22:40 . 2010-06-13 22:40 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-13 22:40 . 2010-06-13 22:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-13 22:27 . 2010-06-13 22:28 -------- d-----w- C:\32788R22FWJFW
2010-06-09 14:36 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 14:36 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 14:36 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 14:36 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 14:36 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-07 17:58 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-06-07 17:58 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-06-07 17:58 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-06-07 17:58 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-07 17:57 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-07 17:57 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-07 17:57 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-06-07 17:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-07 17:56 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-07 17:55 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-07 17:55 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-07 17:55 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-25 13:50 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 20:35 . 2010-05-21 18:19 -------- d-----w- c:\program files\IHSDM_2009_CPM
2010-05-20 01:02 . 2010-05-20 01:02 -------- d-----w- C:\AVATAR
2010-05-20 00:57 . 2010-05-20 03:47 -------- d-----w- C:\IDEALDVDCOPY_TEMP
2010-05-15 20:47 . 2010-05-21 18:19 -------- d-----w- c:\program files\Amazing Adventures The Caribbean Secret

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 22:59 . 2009-12-23 19:50 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Dropbox
2010-06-13 22:58 . 2010-06-13 22:47 640 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-13 22:58 . 2010-04-08 20:18 -------- d-----w- c:\programdata\STOPzilla!
2010-06-13 22:41 . 2010-06-13 22:41 823808 ----a-w- c:\windows\system32\drivers\0e7e0ef5d27563b583de29d368149454.szcpf
2010-06-13 22:29 . 2009-06-03 02:59 -------- d-----w- c:\program files\QuickTime
2010-06-13 20:43 . 2010-03-21 20:00 -------- d-----w- c:\program files\Apoint2K
2010-06-13 20:43 . 2009-10-20 01:25 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-06-13 05:49 . 2008-11-03 00:03 -------- d-----w- c:\programdata\Google Updater
2010-06-10 21:04 . 2008-07-31 13:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 21:01 . 2007-10-20 20:24 -------- d-----w- c:\users\Cheryl\AppData\Roaming\LimeWire
2010-06-10 15:10 . 2007-08-18 07:10 -------- d-----w- c:\programdata\Microsoft Help
2010-06-07 20:23 . 2010-03-21 22:26 -------- d-----w- c:\program files\iTunes
2010-06-07 20:23 . 2007-10-20 20:24 -------- d-----w- c:\program files\LimeWire
2010-06-07 20:23 . 2009-06-03 03:02 -------- d-----w- c:\program files\Bonjour
2010-06-07 20:23 . 2009-06-03 02:57 -------- d-----w- c:\program files\Apple Software Update
2010-06-07 20:20 . 2009-09-30 17:51 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-06-07 20:19 . 2010-03-21 22:26 -------- d-----w- c:\program files\iPod
2010-06-07 20:19 . 2009-06-03 02:53 -------- d-----w- c:\program files\Common Files\Apple
2010-06-07 19:55 . 2010-05-08 20:38 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 20:48 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-21 18:46 . 2010-04-08 20:18 -------- d-----w- c:\program files\STOPzilla!
2010-05-21 18:46 . 2009-01-27 18:38 -------- d-----w- c:\programdata\FLEXnet
2010-05-21 18:46 . 2008-12-31 03:39 -------- d-----w- c:\program files\IdealDVDCopy
2010-05-21 18:46 . 2010-02-18 03:35 -------- d-----w- c:\program files\Common Files\ESRI
2010-05-21 18:46 . 2010-04-07 18:43 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-05-21 18:46 . 2010-04-07 18:34 -------- d-----w- c:\program files\ArcGIS
2010-05-21 18:45 . 2010-04-28 03:22 -------- d-----w- c:\program files\AWR
2010-05-21 18:41 . 2010-04-07 18:42 -------- d-----w- c:\program files\Leica Geosystems
2010-05-21 18:40 . 2007-10-21 01:09 -------- d-----w- c:\program files\Google
2010-05-21 18:40 . 2010-04-08 20:18 -------- d-----w- c:\program files\Common Files\iS3
2010-05-20 01:38 . 2008-06-15 00:42 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Vso
2010-05-20 01:00 . 2008-06-15 00:48 -------- d-----w- c:\programdata\DVD Shrink
2010-05-13 13:10 . 2009-06-03 03:08 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Apple Computer
2010-04-29 18:04 . 2010-04-29 18:04 3664 ------w- C:\bootsqm.dat
2010-04-24 03:01 . 2010-04-24 03:01 -------- d-----w- c:\programdata\ESRI
2010-04-08 14:51 . 2010-04-08 14:51 4076824 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-08 14:51 . 2010-04-08 14:51 2059544 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-08 14:51 . 2010-04-08 14:51 1598744 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-04-08 14:51 . 2010-04-08 14:51 1515224 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2010-04-08 14:51 . 2010-04-08 14:51 1274136 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-08 14:51 . 2010-04-08 14:51 598296 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-08 14:51 . 2010-04-08 14:51 4250976 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-08 14:51 . 2010-04-08 14:51 313112 ----a-w- c:\programdata\avg9\update\backup\avglogx.dll
2010-04-08 14:51 . 2010-04-08 14:51 459544 ----a-w- c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-08 14:51 . 2010-04-08 14:51 1086744 ----a-w- c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-08 14:51 . 2010-04-08 14:51 556824 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-08 14:51 . 2010-04-08 14:51 301336 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-08 14:50 . 2010-04-08 14:50 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-08 14:50 . 2010-04-08 14:50 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-03-30 05:46 . 2010-04-10 17:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-10 17:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 01:26 . 2010-03-23 01:26 21979992 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{129DD95F-DEAC-150C-BC25-8A8FA0D12FE9}-Dropbox.exe
2010-03-21 21:38 . 2010-03-21 21:38 132408 ----a-w- c:\users\Cheryl\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-21 21:03 . 2010-03-21 21:03 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-21 16:52 . 2007-10-06 17:25 836 ----a-w- c:\windows\bthservsdp.dat
2008-06-17 00:28 . 2008-06-15 00:10 24 --sha-w- c:\windows\SC1F3F802.tmp
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
CODE
<pre>
c:\windows\System32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\users\Cheryl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Cheryl\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-07 61328]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-20 722416]
R2 FlexService;Remote Connections Service;c:\program files\RapidBIT\cisvc.exe [2009-05-17 41984]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-09 1343400]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [2009-12-07 61328]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2010-02-24 173328]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]


--- Other Services/Drivers In Memory ---

*Deregistered* - AVGIDSDrivervtx
*Deregistered* - AVGIDSFiltervtx
*Deregistered* - AVGIDSShimvtx
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-21 03:37]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: adecco.com\*.xpert
FF - ProfilePath - c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2572)
c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\RapidBIT\cidaemon.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2010-06-13 18:06:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-13 23:06
ComboFix2.txt 2010-06-13 21:08
ComboFix3.txt 2010-06-13 05:53

Pre-Run: 21,193,633,792 bytes free
Post-Run: 21,146,857,472 bytes free

- - End Of File - - BA647EBCBF47477CC2A1C610578443F5


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 PM

Posted 13 June 2010 - 06:44 PM

One more time, one infected file left.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

CODE
file::
c:\windows\System32\rundll32 .exe


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by m0le, 16 June 2010 - 06:50 PM.

Posted Image
m0le is a proud member of UNITE

#11 cheryllb

cheryllb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 13 June 2010 - 07:30 PM

Ok, I hope that got it! Here's the log..

ComboFix 10-06-12.03 - Cheryl 06/13/2010 19:10:47.4.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.998 [GMT -5:00]
Running from: c:\users\Cheryl\Desktop\ComboFix.exe
Command switches used :: c:\users\Cheryl\Desktop\CFScript.txt
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
SP: Avira AntiVir PersonalEdition *enabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\0e7e0ef5d27563b583de29d368149454.szcpf

.
((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2010-06-14 00:23 . 2010-06-14 00:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-14 00:23 . 2010-06-14 00:23 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-14 00:23 . 2010-06-14 00:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-14 00:04 . 2010-06-14 00:09 -------- d-----w- C:\32788R22FWJFW
2010-06-09 14:36 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 14:36 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 14:36 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 14:36 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 14:36 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-07 17:58 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-06-07 17:58 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-06-07 17:58 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-06-07 17:58 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-07 17:57 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-07 17:57 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-07 17:57 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-06-07 17:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-07 17:56 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-07 17:55 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-07 17:55 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-07 17:55 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-25 13:50 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 20:35 . 2010-05-21 18:19 -------- d-----w- c:\program files\IHSDM_2009_CPM
2010-05-20 01:02 . 2010-05-20 01:02 -------- d-----w- C:\AVATAR
2010-05-20 00:57 . 2010-05-20 03:47 -------- d-----w- C:\IDEALDVDCOPY_TEMP
2010-05-15 20:47 . 2010-05-21 18:19 -------- d-----w- c:\program files\Amazing Adventures The Caribbean Secret

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 00:23 . 2010-06-13 22:47 3016 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-14 00:11 . 2010-04-08 20:18 -------- d-----w- c:\programdata\STOPzilla!
2010-06-13 22:59 . 2009-12-23 19:50 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Dropbox
2010-06-13 22:29 . 2009-06-03 02:59 -------- d-----w- c:\program files\QuickTime
2010-06-13 20:43 . 2010-03-21 20:00 -------- d-----w- c:\program files\Apoint2K
2010-06-13 20:43 . 2009-10-20 01:25 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-06-13 05:49 . 2008-11-03 00:03 -------- d-----w- c:\programdata\Google Updater
2010-06-10 21:04 . 2008-07-31 13:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 21:01 . 2007-10-20 20:24 -------- d-----w- c:\users\Cheryl\AppData\Roaming\LimeWire
2010-06-10 15:10 . 2007-08-18 07:10 -------- d-----w- c:\programdata\Microsoft Help
2010-06-07 20:23 . 2010-03-21 22:26 -------- d-----w- c:\program files\iTunes
2010-06-07 20:23 . 2007-10-20 20:24 -------- d-----w- c:\program files\LimeWire
2010-06-07 20:23 . 2009-06-03 03:02 -------- d-----w- c:\program files\Bonjour
2010-06-07 20:23 . 2009-06-03 02:57 -------- d-----w- c:\program files\Apple Software Update
2010-06-07 20:20 . 2009-09-30 17:51 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-06-07 20:19 . 2010-03-21 22:26 -------- d-----w- c:\program files\iPod
2010-06-07 20:19 . 2009-06-03 02:53 -------- d-----w- c:\program files\Common Files\Apple
2010-06-07 19:55 . 2010-05-08 20:38 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 20:48 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-21 18:46 . 2010-04-08 20:18 -------- d-----w- c:\program files\STOPzilla!
2010-05-21 18:46 . 2009-01-27 18:38 -------- d-----w- c:\programdata\FLEXnet
2010-05-21 18:46 . 2008-12-31 03:39 -------- d-----w- c:\program files\IdealDVDCopy
2010-05-21 18:46 . 2010-02-18 03:35 -------- d-----w- c:\program files\Common Files\ESRI
2010-05-21 18:46 . 2010-04-07 18:43 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-05-21 18:46 . 2010-04-07 18:34 -------- d-----w- c:\program files\ArcGIS
2010-05-21 18:45 . 2010-04-28 03:22 -------- d-----w- c:\program files\AWR
2010-05-21 18:41 . 2010-04-07 18:42 -------- d-----w- c:\program files\Leica Geosystems
2010-05-21 18:40 . 2007-10-21 01:09 -------- d-----w- c:\program files\Google
2010-05-21 18:40 . 2010-04-08 20:18 -------- d-----w- c:\program files\Common Files\iS3
2010-05-20 01:38 . 2008-06-15 00:42 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Vso
2010-05-20 01:00 . 2008-06-15 00:48 -------- d-----w- c:\programdata\DVD Shrink
2010-05-13 13:10 . 2009-06-03 03:08 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Apple Computer
2010-04-29 18:04 . 2010-04-29 18:04 3664 ------w- C:\bootsqm.dat
2010-04-24 03:01 . 2010-04-24 03:01 -------- d-----w- c:\programdata\ESRI
2010-04-08 14:51 . 2010-04-08 14:51 4076824 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-08 14:51 . 2010-04-08 14:51 2059544 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-08 14:51 . 2010-04-08 14:51 1598744 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-04-08 14:51 . 2010-04-08 14:51 1515224 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2010-04-08 14:51 . 2010-04-08 14:51 1274136 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-08 14:51 . 2010-04-08 14:51 598296 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-08 14:51 . 2010-04-08 14:51 4250976 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-08 14:51 . 2010-04-08 14:51 313112 ----a-w- c:\programdata\avg9\update\backup\avglogx.dll
2010-04-08 14:51 . 2010-04-08 14:51 459544 ----a-w- c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-08 14:51 . 2010-04-08 14:51 1086744 ----a-w- c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-08 14:51 . 2010-04-08 14:51 556824 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-08 14:51 . 2010-04-08 14:51 301336 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-08 14:50 . 2010-04-08 14:50 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-08 14:50 . 2010-04-08 14:50 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-03-30 05:46 . 2010-04-10 17:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-10 17:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 01:26 . 2010-03-23 01:26 21979992 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{129DD95F-DEAC-150C-BC25-8A8FA0D12FE9}-Dropbox.exe
2010-03-21 21:38 . 2010-03-21 21:38 132408 ----a-w- c:\users\Cheryl\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-21 21:03 . 2010-03-21 21:03 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-21 16:52 . 2007-10-06 17:25 836 ----a-w- c:\windows\bthservsdp.dat
2008-06-17 00:28 . 2008-06-15 00:10 24 --sha-w- c:\windows\SC1F3F802.tmp
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
CODE
<pre>
c:\windows\System32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-06-13_22.59.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-04-09 16:01 . 2010-06-13 21:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-09 16:01 . 2010-06-14 00:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-09 16:01 . 2010-06-13 21:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2010-04-09 16:01 . 2010-06-14 00:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2010-04-09 16:01 . 2010-06-14 00:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2010-04-09 16:01 . 2010-06-13 21:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2010-03-21 21:36 . 2010-06-14 00:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-21 21:36 . 2010-06-13 22:49 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-22 07:23 . 2010-06-14 00:01 282230 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\users\Cheryl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Cheryl\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-07 61328]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-20 722416]
R2 FlexService;Remote Connections Service;c:\program files\RapidBIT\cisvc.exe [2009-05-17 41984]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-09 1343400]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [2009-12-07 61328]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2010-02-24 173328]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]


--- Other Services/Drivers In Memory ---

*Deregistered* - AVGIDSDrivervtx
*Deregistered* - AVGIDSFiltervtx
*Deregistered* - AVGIDSShimvtx
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-21 03:37]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: adecco.com\*.xpert
FF - ProfilePath - c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
Completion time: 2010-06-13 19:28:05
ComboFix-quarantined-files.txt 2010-06-14 00:28
ComboFix2.txt 2010-06-13 23:06
ComboFix3.txt 2010-06-13 21:08
ComboFix4.txt 2010-06-13 05:53

Pre-Run: 21,204,766,720 bytes free
Post-Run: 20,905,312,256 bytes free

- - End Of File - - A162E1727E36556B1E21CB4664D212F6


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 PM

Posted 14 June 2010 - 06:29 PM

Not going anywhere that one...

We need to replace the infected file in the Recovery Environment


First we need to copy a clean file to replace the infected one.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy c:\windows\System32\rundll32.exe C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren rundll32.exe rundll32.vir and press Enter.
Then type copy C:\rundll32.exe rundll32.exe and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Please rerun Combofix and post the log.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#13 cheryllb

cheryllb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 14 June 2010 - 11:12 PM

When I try to do the copy/paste into the cmd log (first step) it says: "The system cannot find the file specified." Am I missing something? wacko.gif

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:19 PM

Posted 15 June 2010 - 04:11 PM

No, it doesn't exist now. We will try and replace the bad file with the modified system file.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

CODE
FCopy
c:\windows\System32\rundll32 .exe | c:\windows\System32\rundll32.exe


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by m0le, 15 June 2010 - 04:12 PM.

Posted Image
m0le is a proud member of UNITE

#15 cheryllb

cheryllb
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 15 June 2010 - 05:45 PM

Ok, did that. here's the log:
ComboFix 10-06-12.03 - Cheryl 06/15/2010 16:34:17.5.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1306 [GMT -5:00]
Running from: c:\users\Cheryl\Desktop\ComboFix.exe
Command switches used :: c:\users\Cheryl\Desktop\CFScript.txt
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
SP: Avira AntiVir PersonalEdition *enabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}
.

((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-15 21:50 . 2010-06-15 21:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-15 21:50 . 2010-06-15 21:50 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-15 21:50 . 2010-06-15 21:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-15 21:30 . 2010-06-15 21:31 -------- d-----w- C:\32788R22FWJFW
2010-06-09 14:36 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 14:36 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 14:36 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 14:36 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 14:36 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-07 17:58 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-06-07 17:58 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-06-07 17:58 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-06-07 17:58 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-07 17:57 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-07 17:57 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-07 17:57 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-06-07 17:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-07 17:56 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-07 17:55 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-07 17:55 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-07 17:55 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-25 13:50 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 20:35 . 2010-05-21 18:19 -------- d-----w- c:\program files\IHSDM_2009_CPM
2010-05-20 01:02 . 2010-05-20 01:02 -------- d-----w- C:\AVATAR
2010-05-20 00:57 . 2010-05-20 03:47 -------- d-----w- C:\IDEALDVDCOPY_TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 21:43 . 2010-04-08 20:18 -------- d-----w- c:\programdata\STOPzilla!
2010-06-15 21:32 . 2010-06-13 22:47 4792 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-15 21:00 . 2009-12-23 19:50 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Dropbox
2010-06-15 15:21 . 2008-11-03 00:03 -------- d-----w- c:\programdata\Google Updater
2010-06-13 22:29 . 2009-06-03 02:59 -------- d-----w- c:\program files\QuickTime
2010-06-13 20:43 . 2010-03-21 20:00 -------- d-----w- c:\program files\Apoint2K
2010-06-13 20:43 . 2009-10-20 01:25 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-06-10 21:04 . 2008-07-31 13:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 21:01 . 2007-10-20 20:24 -------- d-----w- c:\users\Cheryl\AppData\Roaming\LimeWire
2010-06-10 15:10 . 2007-08-18 07:10 -------- d-----w- c:\programdata\Microsoft Help
2010-06-07 20:23 . 2010-03-21 22:26 -------- d-----w- c:\program files\iTunes
2010-06-07 20:23 . 2007-10-20 20:24 -------- d-----w- c:\program files\LimeWire
2010-06-07 20:23 . 2009-06-03 03:02 -------- d-----w- c:\program files\Bonjour
2010-06-07 20:23 . 2009-06-03 02:57 -------- d-----w- c:\program files\Apple Software Update
2010-06-07 20:20 . 2009-09-30 17:51 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-06-07 20:19 . 2010-03-21 22:26 -------- d-----w- c:\program files\iPod
2010-06-07 20:19 . 2009-06-03 02:53 -------- d-----w- c:\program files\Common Files\Apple
2010-06-07 19:55 . 2010-05-08 20:38 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 20:48 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-21 18:46 . 2010-04-08 20:18 -------- d-----w- c:\program files\STOPzilla!
2010-05-21 18:46 . 2009-01-27 18:38 -------- d-----w- c:\programdata\FLEXnet
2010-05-21 18:46 . 2008-12-31 03:39 -------- d-----w- c:\program files\IdealDVDCopy
2010-05-21 18:46 . 2010-02-18 03:35 -------- d-----w- c:\program files\Common Files\ESRI
2010-05-21 18:46 . 2010-04-07 18:43 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-05-21 18:46 . 2010-04-07 18:34 -------- d-----w- c:\program files\ArcGIS
2010-05-21 18:45 . 2010-04-28 03:22 -------- d-----w- c:\program files\AWR
2010-05-21 18:41 . 2010-04-07 18:42 -------- d-----w- c:\program files\Leica Geosystems
2010-05-21 18:40 . 2007-10-21 01:09 -------- d-----w- c:\program files\Google
2010-05-21 18:40 . 2010-04-08 20:18 -------- d-----w- c:\program files\Common Files\iS3
2010-05-21 18:19 . 2010-05-15 20:47 -------- d-----w- c:\program files\Amazing Adventures The Caribbean Secret
2010-05-20 01:38 . 2008-06-15 00:42 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Vso
2010-05-20 01:00 . 2008-06-15 00:48 -------- d-----w- c:\programdata\DVD Shrink
2010-05-13 13:10 . 2009-06-03 03:08 -------- d-----w- c:\users\Cheryl\AppData\Roaming\Apple Computer
2010-04-29 18:04 . 2010-04-29 18:04 3664 ------w- C:\bootsqm.dat
2010-04-24 03:01 . 2010-04-24 03:01 -------- d-----w- c:\programdata\ESRI
2010-04-08 14:51 . 2010-04-08 14:51 4076824 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-08 14:51 . 2010-04-08 14:51 2059544 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-08 14:51 . 2010-04-08 14:51 1598744 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-04-08 14:51 . 2010-04-08 14:51 1515224 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2010-04-08 14:51 . 2010-04-08 14:51 1274136 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-08 14:51 . 2010-04-08 14:51 598296 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-08 14:51 . 2010-04-08 14:51 4250976 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-08 14:51 . 2010-04-08 14:51 313112 ----a-w- c:\programdata\avg9\update\backup\avglogx.dll
2010-04-08 14:51 . 2010-04-08 14:51 459544 ----a-w- c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-08 14:51 . 2010-04-08 14:51 1086744 ----a-w- c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-08 14:51 . 2010-04-08 14:51 556824 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-08 14:51 . 2010-04-08 14:51 301336 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-08 14:50 . 2010-04-08 14:50 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-08 14:50 . 2010-04-08 14:50 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-03-30 05:46 . 2010-04-10 17:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-10 17:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 01:26 . 2010-03-23 01:26 21979992 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{129DD95F-DEAC-150C-BC25-8A8FA0D12FE9}-Dropbox.exe
2010-03-21 21:38 . 2010-03-21 21:38 132408 ----a-w- c:\users\Cheryl\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-21 21:03 . 2010-03-21 21:03 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-21 16:52 . 2007-10-06 17:25 836 ----a-w- c:\windows\bthservsdp.dat
2008-06-17 00:28 . 2008-06-15 00:10 24 --sha-w- c:\windows\SC1F3F802.tmp
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
CODE
<pre>
c:\windows\System32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-06-13_22.59.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-03-21 20:01 . 2010-06-13 22:50 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-21 20:01 . 2010-06-15 15:21 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-21 21:38 . 2010-06-15 14:58 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2010-03-21 21:38 . 2010-06-13 21:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-06-14 15:21 . 2010-06-14 15:19 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010061420100615\index.dat
+ 2010-06-14 15:21 . 2010-06-14 15:19 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010060720100614\index.dat
- 2009-07-14 04:41 . 2010-06-13 22:50 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-06-15 15:21 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-09 16:01 . 2010-06-13 21:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-09 16:01 . 2010-06-15 21:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-09 16:01 . 2010-06-15 21:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2010-04-09 16:01 . 2010-06-13 21:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2010-04-09 16:01 . 2010-06-15 21:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2010-04-09 16:01 . 2010-06-13 21:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2010-03-21 21:36 . 2010-06-13 22:49 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-21 21:36 . 2010-06-15 21:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-15 21:01 . 2010-06-15 21:01 25088 c:\windows\Installer\9f12e2c.msi
+ 2010-03-22 07:23 . 2010-06-15 21:00 283238 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2010-03-21 21:25 . 2010-06-15 15:10 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2010-03-21 21:25 . 2010-06-13 21:42 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 02:03 . 2010-06-15 14:11 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:03 . 2010-06-13 13:23 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2010-03-21 20:01 . 2010-06-15 15:21 3063808 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-21 20:01 . 2010-06-13 22:50 3063808 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\users\Cheryl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Cheryl\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-07 61328]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-20 722416]
R2 FlexService;Remote Connections Service;c:\program files\RapidBIT\cisvc.exe [2009-05-17 41984]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-09 1343400]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [2009-12-07 61328]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2010-02-24 173328]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]


--- Other Services/Drivers In Memory ---

*Deregistered* - AVGIDSDrivervtx
*Deregistered* - AVGIDSFiltervtx
*Deregistered* - AVGIDSShimvtx
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-21 03:37]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 02:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: adecco.com\*.xpert
FF - ProfilePath - c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\Cheryl\AppData\Roaming\Mozilla\Firefox\Profiles\olf3sehj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(348)
c:\users\Cheryl\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
Completion time: 2010-06-15 16:55:49
ComboFix-quarantined-files.txt 2010-06-15 21:55
ComboFix2.txt 2010-06-14 00:28
ComboFix3.txt 2010-06-13 23:06
ComboFix4.txt 2010-06-13 21:08
ComboFix5.txt 2010-06-15 21:31

Pre-Run: 20,939,694,080 bytes free
Post-Run: 20,856,799,232 bytes free

- - End Of File - - 88258F9DC424C160C4C61D0C120D4506





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users