Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor


  • This topic is locked This topic is locked
38 replies to this topic

#31 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:32 PM

Posted 20 September 2010 - 11:03 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\windows\system32\drivers\umbojfyl.sys

Folder::
c:\users\Ian\.COMMgr

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"COM+ Manager"=-

Driver::
umbojfyl


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

BC AdBot (Login to Remove)

 


#32 Bradyia2

Bradyia2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 20 September 2010 - 05:29 PM

ComboFix 10-09-20.01 - Ian 20/09/2010 22:39:10.4.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.353.1033.18.1790.963 [GMT 1:00]
Running from: c:\users\Ian\Desktop\Comfix.exe
Command switches used :: c:\users\Ian\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\umbojfyl.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_umbojfyl


((((((((((((((((((((((((( Files Created from 2010-08-20 to 2010-09-20 )))))))))))))))))))))))))))))))
.

2010-09-20 22:02 . 2010-09-20 22:11 -------- d-----w- c:\users\Ian\AppData\Local\temp
2010-09-20 22:02 . 2010-09-20 22:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-20 22:02 . 2010-09-20 22:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-14 22:29 . 2010-02-12 10:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-09-14 22:12 . 2009-11-08 09:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-09-14 22:12 . 2009-11-08 09:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-09-14 22:12 . 2009-11-08 09:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-09-14 22:12 . 2009-11-08 09:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-09-14 22:12 . 2009-11-08 09:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-09-14 22:12 . 2010-09-15 09:49 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-14 21:08 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2010-09-14 21:05 . 2010-05-26 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-09-14 21:04 . 2009-12-28 12:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-09-14 21:04 . 2009-12-28 12:35 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-09-14 21:04 . 2009-12-28 12:32 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-09-14 21:04 . 2009-12-28 12:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-09-14 21:04 . 2009-12-28 12:32 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-09-14 21:04 . 2009-12-28 12:31 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-09-14 21:04 . 2009-12-28 12:31 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-09-14 21:04 . 2009-12-28 12:28 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-09-14 21:04 . 2009-12-28 12:28 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-09-14 20:50 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2010-09-14 20:41 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-09-14 20:41 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-14 20:40 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-09-14 17:43 . 2010-09-14 19:40 -------- d-----w- c:\program files\Championship Manager 01-02
2010-09-03 14:16 . 2010-09-03 14:18 -------- d-----w- c:\users\Ian\Other
2010-08-28 21:17 . 2010-09-20 12:42 -------- d-----w- c:\users\Ian\AppData\Local\Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 22:08 . 2009-06-21 20:11 31681 ----a-w- c:\programdata\nvModes.dat
2010-09-20 00:13 . 2009-09-07 16:28 0 ----a-w- c:\users\Ian\AppData\Local\prvlcl.dat
2010-09-19 20:33 . 2009-09-07 16:59 -------- d-----w- c:\users\Ian\AppData\Roaming\uTorrent
2010-09-19 20:31 . 2009-09-24 13:09 -------- d-----w- c:\program files\Lx_cats
2010-09-15 09:28 . 2009-02-27 09:49 -------- d-----w- c:\programdata\NVIDIA
2010-09-15 09:26 . 2009-06-21 12:06 115184 ----a-w- c:\users\Ian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-15 07:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-03 14:08 . 2010-04-28 12:41 -------- d-----w- c:\program files\OpenOffice.org 3
2010-09-03 14:06 . 2010-03-11 16:26 -------- d-----w- c:\program files\VirtualDJ
2010-08-17 13:32 . 2010-09-14 21:05 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-10 11:40 . 2010-08-10 11:40 63488 ----a-w- c:\users\Ian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-10 11:39 . 2010-08-10 11:39 52224 ----a-w- c:\users\Ian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-10 11:39 . 2010-08-10 11:39 117760 ----a-w- c:\users\Ian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\users\Ian\AppData\Roaming\SUPERAntiSpyware.com
2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-07-27 22:17 . 2010-07-27 22:17 0 ----a-w- c:\windows\system32\cd.dat
2010-07-27 10:26 . 2010-07-27 10:26 -------- d-----w- c:\users\Ian\AppData\Roaming\Malwarebytes
2010-07-27 10:26 . 2010-07-27 10:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 10:26 . 2010-07-27 10:26 -------- d-----w- c:\programdata\Malwarebytes
2010-07-27 02:26 . 2010-02-07 13:43 7592 ----a-w- c:\users\Ian\AppData\Local\d3d9caps.dat
2010-07-27 02:05 . 2010-07-27 02:05 -------- d-----w- c:\program files\Trend Micro
2010-07-27 01:10 . 2009-12-29 14:50 -------- d-----w- c:\program files\Bonjour
2010-07-27 01:10 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-06-30 11:00 . 2009-09-24 18:08 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-28 16:17 . 2010-09-14 21:06 833024 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-09-14 21:06 78336 ----a-w- c:\windows\system32\ieencode.dll
1997-07-25 17:11 . 2009-12-23 12:21 304128 ----a-w- c:\program files\mozilla firefox\plugins\Pngdll.dll
2008-10-25 17:09 . 2008-10-25 16:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 12:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-08-09 2048352]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Ian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\users\Ian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Ian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-11 21:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 01:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 14:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-05-04 06:40 312240 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-30 22:37 135664 ----atw- c:\users\Ian\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
2007-03-05 07:40 20480 ----a-w- c:\program files\Lexmark 2500 Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
2007-05-04 06:38 291760 ----a-w- c:\program files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 08:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-07-19 17:50 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"RegistryMechanic"=c:\program files\Registry Mechanic\RMTray.exe /H

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-06-30 691696]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-01-14 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-06-22 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2010-01-14 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2010-08-09 297752]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-01-08 285744]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-729991802-836018719-1428836848-1000Core.job
- c:\users\Ian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-30 22:37]

2010-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-729991802-836018719-1428836848-1000UA.job
- c:\users\Ian\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-30 22:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
FF - ProfilePath - c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\1rqdggns.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\Npgfxv.dll
FF - plugin: c:\users\Ian\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Ian\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-20 23:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-09-20 23:24:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-20 22:24
ComboFix2.txt 2010-09-20 15:25
ComboFix3.txt 2010-08-13 11:41
ComboFix4.txt 2010-08-09 23:37

Pre-Run: 60,610,191,360 bytes free
Post-Run: 60,207,181,824 bytes free

- - End Of File - - EC5143B982B75D3B520A9F923E2F0342

That PEV message came up again. Cheers.


#33 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:32 PM

Posted 20 September 2010 - 06:20 PM

Don't worry about the PEV message. smile.gif

Antimalware Doctor is history now. Let's run ESET at this point
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Please also let me know how the PC is running now
Posted Image
m0le is a proud member of UNITE

#34 Bradyia2

Bradyia2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 21 September 2010 - 04:48 PM

C:\Qoobox\Quarantine\C\Users\Ian\AppData\Local\Windows Server\hlp.dat.vir Win32/Bamital.DZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Ian\AppData\Roaming\ohydy.exe.vir Win32/Inject.NDR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Ian\AppData\Roaming\FFC3AF38641DD18B6276C81B568EC4BC\handlerfix70700en00.exe.vir a variant of Win32/Kryptik.GUX trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Ian\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp.vir Win32/Bamital.DZ trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\11.08.2010_22.40.12\susp0001\svc0000\tsk0000.dta a variant of Win32/Bubnix.AW trojan cleaned by deleting - quarantined
C:\Users\Ian\AppData\Local\Windows\winhelp.exe Win32/Bamital.DZ trojan cleaned by deleting - quarantined
C:\Users\Ian\AppData\Local\Windows Server\hlp.dat Win32/Bamital.DZ trojan cleaned by deleting - quarantined
C:\Users\Ian\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp Win32/Bamital.DZ trojan cleaned by deleting - quarantined

During the scan a warning came up that looked like this.

www1.setprotection44.co.cc
Warning... Risk of malware attacks... Scan computer... Press Ok.

I tried to close it but a another window opened up and pretended it was scanning the computer for malware like anti-malware doctor did. I closed it and haven't seen it since.

Windows explorer also restarted during the scan.

Thanks.

#35 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:32 PM

Posted 21 September 2010 - 05:56 PM

Mostly quarantine items but the Bamital trojan files needed to go (particularly the hlp.dat file which regenerates the infection after deletion)

The warning is slightly strange but if it hasn't returned that's good.


Please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#36 Bradyia2

Bradyia2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 22 September 2010 - 12:11 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4671

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

22/09/2010 17:45:21
mbam-log-2010-09-22 (17-45-21).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 364395
Time elapsed: 3 hour(s), 20 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\YXE7DXCQ37 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Ian\AppData\Local\Windows\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Ian\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.


#37 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:32 PM

Posted 22 September 2010 - 01:44 PM

Hmmm, that's not a good sign. Please run Superantispyware now

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

When that's been done please rerun MBAM (a quick scan should be enough here)
Posted Image
m0le is a proud member of UNITE

#38 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:32 PM

Posted 24 September 2010 - 07:29 PM

You still there?
Posted Image
m0le is a proud member of UNITE

#39 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:32 PM

Posted 26 September 2010 - 05:46 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users