Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet


  • This topic is locked This topic is locked
2 replies to this topic

#1 netlesscitizen

netlesscitizen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 10 July 2010 - 06:48 PM

Hello,

Little sibling got my computer infected (first infection in 6 years), I'll never leave it unlocked again.

I know a bit about malware removal, ComboFix, registry scripts, etc. This one has totally baffled me. Below are logs from HJT, ComboFix, and ComboFix Quarantine.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:35:38 PM, on 7/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32inetsrvinetinfo.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSexplorer.exe
C:Program FilesHJTTrend MicroHiJackThisHiJackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:5577
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSsystem32browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSsystem32browseui.dll
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:Program FilesSandboxieSbieSvc.exe

--
End of file - 3689 bytes

ComboFix:

ComboFix 10-07-08.02 - Administrator 07/10/2010 1:58.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.931 [GMT -4:00]
Running from: c:documents and settingsAll UsersStart MenuProgramsAnti-SpywareComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:documents and settingsAdministratorLocal SettingsApplication Datanhbmhyrat
c:documents and settingsAdministratorLocal SettingsApplication Datanhbmhyratdrsiykktssd.exe
c:windowssystem32SHELLLNK.TLB
c:windowssystem32Thumbs.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-09 18:52 . 2006-02-24 08:27 1492480 ----a-w- c:windowssystem32BrWia06a.dll
2010-07-09 18:52 . 2005-12-13 01:53 38912 ----a-w- c:windowssystem32BrUsi06a.dll
2010-06-23 02:43 . 2010-06-23 02:43 -------- d-----w- c:program filesLame for Audacity
2010-06-22 02:52 . 2010-06-27 20:28 -------- d-----w- c:documents and settingsAdministratorApplication DataAudacity
2010-06-22 02:52 . 2010-06-22 02:52 -------- d-----w- c:program filesAudacity 1.3 Beta (Unicode)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 18:54 . 2010-01-19 04:08 65 ----a-w- c:windowssystem32BD7020.dat
2010-07-08 22:25 . 2007-04-01 23:28 664 ----a-w- c:windowssystem32d3d9caps.dat
2010-06-23 04:23 . 2009-12-08 19:31 -------- d-----w- c:documents and settingsAll UsersApplication DataFLEXnet
2010-06-22 22:56 . 2007-08-26 07:16 5052 ----a-w- c:windowssystem32PerfStringBackup.TMP
2010-06-22 05:06 . 2009-11-27 23:34 -------- d-----w- c:documents and settingsAdministratorApplication DatauTorrent
2010-06-16 01:57 . 2009-11-27 23:34 -------- d-----w- c:program filesuTorrent
2010-06-12 19:48 . 2009-06-05 05:59 -------- d-----w- c:program filesUnlocker
2010-06-07 20:16 . 2010-06-07 20:16 703352 ----a-w- c:documents and settingsAdministratorApplication DataMicrosoftInternet ExplorerQuick Launchautoruns.exe
2010-06-06 03:45 . 2010-06-06 03:45 2324974 ----a-w- c:documents and settingsAll UsersApplication DataAlienwareCommandCenterAlienFXTutorialsenalienfx_basic.exe
2010-06-06 03:45 . 2010-06-06 03:33 -------- d-----w- c:documents and settingsAll UsersApplication DataAlienware
2010-06-06 03:33 . 2010-06-06 03:27 -------- d-----w- c:program filesAlienware
2010-06-06 03:32 . 2010-06-06 03:29 -------- d-----w- c:documents and settingsAll UsersApplication DataTactXMouseCI
2010-06-01 03:45 . 2009-02-15 00:16 -------- d-----w- c:documents and settingsAll UsersApplication DataLogitech
2010-06-01 03:45 . 2007-08-12 03:29 -------- d-----w- c:program filesCommon FilesLogitech
2010-06-01 03:44 . 2007-08-12 03:28 -------- d-----w- c:program filesLogitech
2010-05-28 04:00 . 2008-10-02 06:59 42 ----a-w- c:documents and settingsAdministratorjagex_runescape_preferences.dat
2010-05-28 03:56 . 2009-09-15 05:19 87 ----a-w- c:documents and settingsAdministratorjagex_runescape_preferences2.dat
2010-05-07 16:55 . 2010-05-07 16:55 255472 ----a-w- c:documents and settingsAdministratorApplication DataMozillapluginsnpgoogletalk.dll
2010-05-02 05:22 . 2004-08-03 21:17 1851264 ------w- c:windowssystem32win32k.sys
2010-04-20 05:30 . 2004-08-03 22:56 285696 ----a-w- c:windowssystem32atmfd.dll
2010-01-19 03:34 . 2010-01-19 03:34 0 ----a-w- c:program fileserror.dat
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:program filesmozilla firefoxpluginslibdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:program filesmozilla firefoxpluginsssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"QuickTime Task"="c:program filesQuickTimeqttask.exe" [2009-05-26 413696]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyAutorunsDisabled]
2008-11-07 21:41 72208 ----a-w- c:program filesCommon FilesLogishrdBluetoothLBTWLgn.dll

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsecurityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdfLoadGroup]
@=""

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:windowspssInterVideo WinCinema Manager.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:windowspssLogitech SetPoint.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:windowspssWinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLaunch LCDMon
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPC Suite Tray
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoxWatchTray

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe ARM]
2010-06-09 08:06 976832 ----a-w- c:program filesCommon FilesAdobeARM1.0AdobeARM.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:program filesAdobeReader 9.0Readerreader_sl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAlienFX Controller]
2009-05-20 21:44 57672 ----a-w- c:program filesAlienwareCommand CenterAlienwareAlienFXController.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregBDRegion]
2009-03-01 00:40 75048 ----a-w- c:program filesCyberlinkShared Filesbrs.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregControlCenter2.0]
2005-01-07 22:30 864256 ------w- c:program filesBrotherControlCenter2brctrcen.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
2008-04-14 10:42 15360 ------w- c:windowssystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregGoogle Update]
2008-09-02 19:17 133104 ----atw- c:documents and settingsAdministratorLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSPM]
2006-09-11 09:40 218032 ----a-w- c:program filesCommon FilesInstallShieldUpdateServiceISUSPM.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregKernel and Hardware Abstraction Layer]
2008-10-10 19:46 69632 ----a-w- c:windowsKHALMNPR.Exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLaunch LGDCore]
2006-07-23 01:22 1126400 ----a-w- c:program filesCommon FilesLogitechG-series SoftwareLGDCore.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMP10_EnsureFileVer]
2005-01-28 18:44 192512 ------w- c:windowsinfunregmp2.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
2007-04-12 06:43 1661304 ----a-w- c:program filesMessengerMsmsgs.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:program filesQuickTimeQTTask.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSandboxieControl]
2010-04-17 10:56 394984 ----a-w- c:program filesSandboxieSbieCtrl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSetDefPrt]
2004-11-11 22:14 49152 ------w- c:program filesBrotherBrmfl04gBrStDvPt.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
2009-11-05 14:49 149280 ----a-w- c:program filesJavajre6binjusched.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"iPod Service"=3 (0x3)

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionrun-]
"SandboxieControl"="x:program filesSandboxieSbieCtrl.exe"
"ctfmon.exe"=c:windowssystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun-]
"SunJavaUpdateSched"="c:program filesJavajre6binjusched.exe"
"igfxhkcmd"=c:windowssystem32hkcmd.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"AntiVirusOverride"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"c:WINDOWSsystem32mmc.exe"=
"c:Program FilesYahoo!MessengerYahooMessenger.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"c:Program FilesAIM6aim6.exe"=
"c:Program FilesCommon FilesAOLLoaderaolload.exe"=
"c:Program FilesBonjourmDNSResponder.exe"=
"c:WINDOWSsystem32dpvsetup.exe"=
"c:WINDOWSsystem32sessmgr.exe"=
"c:Documents and SettingsAdministratorLocal SettingsApplication DataGoogleChromeApplicationchrome.exe"=
"c:Program FilesMessengerMsmsgs.exe"=
"c:Program FilesWindows LiveMessengermsnmsgr.exe"=
"c:Program FilesWindows LiveMessengerwlcsdk.exe"=
"c:Program FilesuTorrentuTorrent.exe"=
"c:Program FilesJavajre6binjava.exe"=
"c:Documents and SettingsAdministratorLocal SettingsApplication DataGoogleGoogle Talk Plugingoogletalkplugin.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 LBeepKE;LBeepKE;c:windowssystem32driversLBeepKE.sys [2/14/2009 8:18 PM 10384]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/17 21:01];??x:program filesCyberLinkPowerDVD9PowerDVD9000.fcl --> x:program filesCyberLinkPowerDVD9PowerDVD9000.fcl [?]
S3 DIGIRPS;Digi PortServer Driver;c:windowssystem32driversdigirlpt.sys [3/31/2007 2:04 AM 42432]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:program filesTuneUp Utilities 2010TuneUpUtilitiesDriver32.sys [10/14/2009 8:24 AM 10064]
S4 sptd;sptd;c:windowssystem32driverssptd.sys [11/27/2009 2:03 AM 691696]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:program filesTuneUp Utilities 2010TuneUpUtilitiesService32.exe [10/30/2009 4:05 PM 1021256]
S4 VFILT;Outpost Firewall Kernel Driver;??c:progra~1AgnitumOUTPOS~1.0kernel2000FILTNT.SYS --> c:progra~1AgnitumOUTPOS~1.0kernel2000FILTNT.SYS [?]

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:windowsTasksAutomatic troubleshooting.job
- c:program filesTuneUp Utilities 2010TuneUpSystemStatusCheck.exe [2009-10-30 20:12]

2010-06-23 c:windowsTasksGoogleUpdateTaskUserS-1-5-21-854245398-606747145-725345543-500.job
- c:documents and settingsAdministratorLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2008-09-02 19:17]

2010-07-10 c:windowsTasksUser_Feed_Synchronization-{1A3FB550-A62C-49F3-A0D5-EFB61425761F}.job
- c:windowssystem32msfeedssync.exe [2007-08-13 07:01]

2009-11-18 c:windowsTasksWGASetup.job
- c:windowssystem32KB905474wgasetup.exe [2009-08-23 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: E&xport to Microsoft Excel - c:progra~1MICROS~3OFFICE11EXCEL.EXE/3000
TCP: {A90CBBE5-BF0D-415E-974D-EF5AD7631891} = 192.168.2.1
FF - ProfilePath - c:documents and settingsAdministratorApplication DataMozillaFirefoxProfiles908btfzh.default
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:documents and settingsAdministratorApplication DataMove Networkspluginsnpqmp071505000011.dll
FF - plugin: c:documents and settingsAdministratorApplication DataMozillapluginsnpgoogletalk.dll
FF - plugin: c:documents and settingsAdministratorLocal SettingsApplication DataGoogleUpdate1.2.145.5npGoogleOneClick8.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnpunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.txt=txt_auto_file
.
- - - - ORPHANS REMOVED - - - -

Notify-= - (no file)
Notify-WgaLogon - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-PWRISOVM - (no file)
MSConfigStartUp-RemoteControl9 - x:program filesCyberLinkPowerDVD9PowerDVD9PDVD9Serv.exe
AddRemove-Cain & Abel v4.9.35 - x:program filesCainUNINSTAL.EXE
AddRemove-Monopoly Here & Now Edition - x:program filesMONOPO~1UNWISE.EXE
AddRemove-Pawn 3 - x:program filesPawn 3Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 02:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet001Services{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="??x:program filesCyberLinkPowerDVD9PowerDVD9000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERSS-1-5-21-854245398-606747145-725345543-500SoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,c2,62,2b,b3,a6,4c,4e,9c,37,a3,
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,c2,62,2b,b3,a6,4c,4e,9c,37,a3,

[HKEY_LOCAL_MACHINEsoftwareClassesCLSID{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:WINDOWSsystem32MacromedFlashFlashUtil10e.exe,-101"

[HKEY_LOCAL_MACHINEsoftwareClassesCLSID{A483C63A-CDBC-426E-BF93-872502E8144E}Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwareClassesCLSID{A483C63A-CDBC-426E-BF93-872502E8144E}LocalServer32]
@="c:WINDOWSsystem32MacromedFlashFlashUtil10e.exe"

[HKEY_LOCAL_MACHINEsoftwareClassesCLSID{A483C63A-CDBC-426E-BF93-872502E8144E}TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINEsoftwareClassesInterface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINEsoftwareClassesInterface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINEsoftwareClassesInterface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINEsoftwareMicrosoftWindowsCurrentVersionInstallerUserDataLocalSystemComponentsh–€|˙˙˙˙¤â€˘â‚¬|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINEsoftwareMicrosoftWindows NTCurrentVersionWindowsAutorunsDisabled]
"Appinit_Dlls"="c:DOCUME~1ALLUSE~1AVP9mzvkbd3.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.EXE'(1960)
c:windowssystem32ieframe.dll
c:windowssystem32webcheck.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
c:windowssystem32OneX.DLL
c:windowssystem32eappprxy.dll
c:program filesCommon FilesAdobeAcrobatActiveXPDFShell.dll
c:program filesWinZipwzshlstb.dll
c:program filesTuneUp Utilities 2010SDShelEx-win32.dll
c:windowsSystem32erasext.dll
c:windowsSystem32Eraser.dll
c:program filesTuneUp Utilities 2010DseShExt-x86.dll
c:windowssystem32WMVCore.DLL
c:windowssystem32WMASF.DLL
c:windowssystem32MSWMDM.dll
c:windowssystem32MsPMSP.dll
c:windowssystem32cewmdm.dll
c:windowssystem32wpdsp.dll
c:windowssystem32WMDMPS.dll
c:progra~1MICROS~3OFFICE11MCPS.DLL
.
Completion time: 2010-07-10 02:14:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-10 06:14

Pre-Run: 6,424,223,744 bytes free
Post-Run: 6,374,129,664 bytes free

- - End Of File - - E3B159F06390042AC95A94452A9F98DF







Quarantine file:

2010-07-10 06:13:29 . 2010-07-10 06:13:29 418 ----a-w- C:QooboxQuarantineRegistry_backupsAddRemove-Pawn 3.reg.dat
2010-07-10 06:13:29 . 2010-07-10 06:13:29 1,154 ----a-w- C:QooboxQuarantineRegistry_backupsAddRemove-Monopoly Here & Now Edition.reg.dat
2010-07-10 06:13:29 . 2010-07-10 06:13:29 540 ----a-w- C:QooboxQuarantineRegistry_backupsAddRemove-Cain & Abel v4.9.35.reg.dat
2010-07-10 06:13:10 . 2010-07-10 06:13:10 536 ----a-w- C:QooboxQuarantineRegistry_backupsMSConfigStartUp-RemoteControl9.reg.dat
2010-07-10 06:13:10 . 2010-07-10 06:13:10 482 ----a-w- C:QooboxQuarantineRegistry_backupsMSConfigStartUp-PWRISOVM.reg.dat
2010-07-10 06:13:09 . 2010-07-10 06:13:09 602 ----a-w- C:QooboxQuarantineRegistry_backupsSafeBoot-AVG Anti-Spyware Guard.reg.dat
2010-07-10 06:13:09 . 2010-07-10 06:13:09 602 ----a-w- C:QooboxQuarantineRegistry_backupsSafeBoot-AVG Anti-Spyware Driver.reg.dat
2010-07-10 06:13:07 . 2010-07-10 06:13:07 3,866 ----a-w- C:QooboxQuarantineRegistry_backupsNotify-WgaLogon.reg.dat
2010-07-10 06:03:33 . 2010-07-10 06:03:33 276 ----a-w- C:QooboxQuarantineRegistry_backupsLegacy_NPF.reg.dat
2010-07-10 06:03:26 . 2010-07-10 22:31:35 5,908 ----a-w- C:QooboxQuarantineRegistry_backupstcpip.reg
2010-07-10 05:42:49 . 2010-07-10 22:24:57 306 ----a-w- C:QooboxQuarantinecatchme.log
2010-07-10 05:33:43 . 2010-07-10 05:33:31 289,024 ----a-w- C:QooboxQuarantineCDocuments and SettingsAdministratorLocal SettingsApplication Datanhbmhyratdrsiykktssd.exe.vir
2009-06-05 06:46:07 . 2009-06-05 06:46:10 5,632 ----a-w- C:QooboxQuarantineCWINDOWSsystem32Thumbs.db.vir
2005-06-08 05:25:33 . 1997-01-16 18:42:24 6,114 ----a-w- C:QooboxQuarantineCWINDOWSsystem32SHELLLNK.TLB.vir


Thank you in advance!

To clarify, I've done malware removal before. I've helped people on other forums between 2007-2008. Obviously, it's been 2 years and I'm not up to date with everything.

Nevertheless, I ran ComboFix the correct way. The internet was not working as soon as the "drive-by" virus was there. It showed a rogue antivirus program and anytime I wanted to run ANY process, including task manager, regedit, etc., a yellow error would show up near the clock with the message that the file "taskmanager.exe" or "regedit.exe" failed to start/run.

I've also run MBAM but nothing showed up, as well as LSPFix. I also did Run>"sfc /scannow", no corruptions showed up.

I cleaned the registry with CCleaner and RegCure, no major problems.

Thanks again in advance.

2 posts merged and moved to log forum. ~ OB

Edited by Orange Blossom, 10 July 2010 - 08:15 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 14 July 2010 - 06:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 19 July 2010 - 06:49 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users