Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/patched.fl virus log files


  • This topic is locked This topic is locked
44 replies to this topic

#1 windpoint

windpoint

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 26 August 2010 - 09:33 AM

I still don't know if this virus is gone or not....it totalled my laptop!!! Any help would be greatly appreciated!!!

ComboFix 10-08-25.01 - Joe Patino 08/26/2010 8:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1513 [GMT -5:00]
Running from: c:\docume~1\JOEPAT~1\LOCALS~1\Temp\Temporary Directory 1 for ComboFix.zip\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joe Patino\Application Data\9A3001AB5070C5F09706DBCD23DB8DB7
c:\documents and settings\Joe Patino\Application Data\9A3001AB5070C5F09706DBCD23DB8DB7\enemies-names.txt
c:\documents and settings\Joe Patino\Application Data\9A3001AB5070C5F09706DBCD23DB8DB7\local.ini
c:\documents and settings\Joe Patino\Application Data\9A3001AB5070C5F09706DBCD23DB8DB7\lsrslt.ini
c:\documents and settings\Joe Patino\Application Data\9A3001AB5070C5F09706DBCD23DB8DB7\newsecureapp70700.exe
c:\documents and settings\Joe Patino\Application Data\Street-Ads
c:\documents and settings\Joe Patino\Local Settings\Application Data\{33282449-5A38-4A74-91AB-1E4C39E9A69E}
c:\documents and settings\Joe Patino\Local Settings\Application Data\{33282449-5A38-4A74-91AB-1E4C39E9A69E}\chrome.manifest
c:\documents and settings\Joe Patino\Local Settings\Application Data\{33282449-5A38-4A74-91AB-1E4C39E9A69E}\chrome\content\_cfg.js
c:\documents and settings\Joe Patino\Local Settings\Application Data\{33282449-5A38-4A74-91AB-1E4C39E9A69E}\chrome\content\overlay.xul
c:\documents and settings\Joe Patino\Local Settings\Application Data\{33282449-5A38-4A74-91AB-1E4C39E9A69E}\install.rdf
c:\documents and settings\Joe Patino\Local Settings\Application Data\rwyhssfas
c:\documents and settings\Joe Patino\Local Settings\Application Data\rwyhssfas\xeghkryshdw.exe
c:\documents and settings\Joe Patino\Local Settings\Application Data\Windows Server
c:\documents and settings\Joe Patino\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Joe Patino\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Joe Patino\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Joe Patino\Local Settings\Application Data\Windows Server\uses32.dat
c:\program files\Shared
c:\windows\$NtUninstallMTF1011$
c:\windows\$NtUninstallMTF1011$\apUninstall.exe
c:\windows\$NtUninstallMTF1011$\mmx.dll
c:\windows\azudogod.dll
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\esixojuxapiveh.dll
c:\windows\idadohaq.dll
c:\windows\idalogiwabaf.dll
c:\windows\ikoguwiviyiyi.dll
c:\windows\imavomadoyado.dll
c:\windows\qedrmst.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\uyamasokupugeb.dll

Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-26 05:14 . 2010-02-02 15:13 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-08-26 05:14 . 2010-02-02 15:13 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-08-26 05:14 . 2010-02-02 15:13 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-08-26 05:13 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-08-26 05:13 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-08-26 05:13 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-08-26 05:13 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-08-26 05:13 . 2010-08-26 05:14 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-26 05:13 . 2010-08-26 05:37 -------- d-----w- c:\program files\Spyware Doctor
2010-08-26 05:13 . 2010-08-26 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-26 05:13 . 2010-08-26 05:13 -------- d-----w- c:\documents and settings\Joe Patino\Application Data\PC Tools
2010-08-26 05:02 . 2010-08-26 05:12 -------- d-----w- c:\documents and settings\Joe Patino\Application Data\GetRightToGo
2010-08-26 04:40 . 2010-08-26 05:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-26 04:40 . 2010-08-26 04:42 -------- d-----w- c:\program files\SpywareBlaster
2010-08-26 03:52 . 2010-08-26 04:06 -------- d-----w- c:\documents and settings\Joe Patino\SmitfraudFix
2010-08-26 02:08 . 2010-08-26 13:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-26 00:24 . 2010-08-26 00:24 120 ----a-w- c:\windows\Eqetivamebo.dat
2010-08-26 00:24 . 2010-08-26 00:24 0 ----a-w- c:\windows\Yyecadaga.bin
2010-08-26 00:23 . 2010-08-26 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 13:56 . 2010-01-24 14:34 -------- d-----w- c:\program files\Common Files\Akamai
2010-08-26 13:54 . 2010-06-21 15:39 -------- d-----w- c:\documents and settings\Joe Patino\Application Data\Skype
2010-08-26 13:35 . 2009-01-27 20:22 256 ----a-w- c:\windows\system32\pool.bin
2010-08-26 13:35 . 2010-06-21 15:42 -------- d-----w- c:\documents and settings\Joe Patino\Application Data\skypePM
2010-08-26 13:34 . 2010-01-31 19:22 -------- d-----w- c:\documents and settings\Joe Patino\Application Data\Dropbox
2010-08-26 13:33 . 2009-01-12 21:39 0 ----a-w- c:\documents and settings\Joe Patino\Local Settings\Application Data\WavXMapDrive.bat
2010-08-26 02:07 . 2009-01-12 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-25 21:19 . 2009-01-14 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-07 14:54 . 2009-01-06 07:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-07 14:54 . 2010-07-02 02:34 -------- d-----w- c:\program files\iPassion
2010-07-07 14:29 . 2010-07-07 14:29 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2010-07-02 02:34 . 2010-07-02 02:34 -------- d-----w- c:\program files\DIFX
2010-06-30 12:31 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2008-04-25 16:16 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:42 . 2010-06-21 15:42 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-21 15:27 . 2008-04-25 16:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-25 16:16 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-25 21:27 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-07 20:19 . 2010-06-07 20:19 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-07 20:16 . 2010-06-07 20:16 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-07 20:16 . 2010-06-07 20:16 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-07 20:16 . 2010-06-07 20:16 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-07 20:16 . 2010-06-07 20:16 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-07 20:16 . 2010-06-07 20:16 84062 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-06-07 20:16 . 2010-06-07 20:16 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
.

------- Sigcheck -------

[-] 2008-04-14 . CA633605224518880EEE77FF6B1140AA . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 4EB21382F384DE64CE13062817BC9179 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Joe Patino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Joe Patino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Joe Patino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2010-01-09 955392]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-06 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-28 2220032]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

c:\documents and settings\Joe Patino\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Joe Patino\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-1-12 25214]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-1-6 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 14:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Documents and Settings\\Joe Patino\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NovaLogic\\Delta Force Task Force Dagger\\DFTFD.exe"=
"c:\\Program Files\\NovaLogic\\Delta Force Task Force Dagger\\Update.exe"=
"c:\\Documents and Settings\\Joe Patino\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/26/2010 12:13 AM 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [8/26/2010 12:14 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [8/26/2010 12:14 AM 59664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/12/2009 5:37 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/12/2009 5:37 PM 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [8/26/2010 12:13 AM 233136]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/25/2008 11:16 AM 14336]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/12/2009 5:37 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/12/2009 5:37 PM 297752]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/25/2008 11:16 AM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 9:20 AM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 DCamUSBTP10;iP2936 USB Camera;c:\windows\system32\Drivers\iP293x.sys --> c:\windows\system32\Drivers\iP293x.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [8/26/2010 12:13 AM 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/26/2010 12:13 AM 365280]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [12/31/2009 11:14 AM 18432]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [12/31/2009 11:04 AM 386560]
S3 TASCAM_US122L_MK2_MIDI;TASCAM US-122L mk2 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [12/31/2009 11:04 AM 20992]
S3 TASCAM_US122L_MK2_WDM;TASCAM US-122L mk2 WDM;c:\windows\system32\drivers\tscusb2a.sys [12/31/2009 11:04 AM 33792]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [8/26/2010 12:14 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-14 21:23]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:19]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:19]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{38309532-8F6E-4935-AA7C-9CBF63706528} - c:\windows\$NtUninstallMTF1011$\mmx.dll
HKCU-Run-Tdocanimi - c:\windows\qedrmst.dll
HKCU-Run-qfjigocy - c:\documents and settings\Joe Patino\Local Settings\Application Data\rwyhssfas\xeghkryshdw.exe
HKCU-Run-newsecureapp70700.exe - c:\documents and settings\Joe Patino\Application Data\9A3001AB5070C5F09706DBCD23DB8DB7\newsecureapp70700.exe
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
HKLM-Run-qfjigocy - c:\documents and settings\Joe Patino\Local Settings\Application Data\rwyhssfas\xeghkryshdw.exe
HKLM-Run-bipro - c:\windows\$NtUninstallMTF1011$\mmduch.dll
HKLM-Run-Hbudojoloni - c:\windows\idadohaq.dll
AddRemove-$NtUninstallMTF1011$ - c:\windows\$NtUninstallMTF1011$\apUninstall.exe
AddRemove-SearchAssist - c:\dell\SearchAssist\UninstSA.bat
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(988)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2010-08-26 09:08:22
ComboFix-quarantined-files.txt 2010-08-26 14:08

Pre-Run: 97,091,690,496 bytes free
Post-Run: 97,300,078,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 289529BF5EEAB57504435CE0173BACB1


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:40 PM

Posted 26 August 2010 - 03:15 PM

Good evening. smile.gif

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#3 windpoint

windpoint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 26 August 2010 - 07:39 PM

I ran the ESET scan and here is what I found:

C:\Qoobox\Quarantine\C\Documents and Settings\Joe Patino\Local Settings\Application Data\rwyhssfas\xeghkryshdw.exe.vir a variant of Win32/Kryptik.GHX trojan
C:\Qoobox\Quarantine\C\WINDOWS\idadohaq.dll.vir a variant of Win32/Cimag.CK trojan
C:\Qoobox\Quarantine\C\WINDOWS\qedrmst.dll.vir a variant of Win32/Cimag.DF trojan
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallMTF1011$\mmx.dll.vir a variant of Win32/Adware.Lifze.N application
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Win32/Olmarik.ZC trojan
C:\WINDOWS\explorer.exe Win32/Bamital.DX trojan
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DZ trojan
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.DX trojan
Operating memory Win32/Bamital.DX trojan


Edited by windpoint, 26 August 2010 - 07:40 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:40 PM

Posted 28 August 2010 - 02:36 PM

Good evening. smile.gif

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    winlogon.exe
    explorer.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So long, and thanks for all the fish.

 

 


#5 windpoint

windpoint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 30 August 2010 - 09:25 AM

I ran the scan and here is what i found:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:22 on 30/08/2010 by Joe Patino (Administrator - Elevation successful)

========== filefind ==========

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a--- 507904 bytes [16:16 25/04/2008] [12:00 14/04/2008] CA633605224518880EEE77FF6B1140AA

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a--- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] 4EB21382F384DE64CE13062817BC9179

-=End Of File=-

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:40 PM

Posted 30 August 2010 - 02:35 PM

Good evening. smile.gif

You have two files on your PC that have been infected and they need to be replaced. Unfortunately there don't appear to be any copies on your system that we could replace the nasty versions with. Do you have access to another PC that is running the same version of Windows as you that you could get copies from?

So long, and thanks for all the fish.

 

 


#7 windpoint

windpoint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 30 August 2010 - 05:05 PM

I do. I am running windows XP on both PC's

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:40 PM

Posted 30 August 2010 - 05:44 PM

Right click each of the following files and check out the Properties Tab and ensure that you are getting the same version of both:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe


Let me know if you manage to get clean copies of the two files and i'll walk you through replacing the nasty ones.

So long, and thanks for all the fish.

 

 


#9 windpoint

windpoint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 30 August 2010 - 06:52 PM

My PC (the non-infected computer) has these two files and they are the exact same version as my Laptop (infected computer). As far as getting clean copies, i'm not sure how to go about doing that.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:40 PM

Posted 31 August 2010 - 02:06 PM

Good evening. smile.gif

You'll either need to get hold of a flashdrive and copy and paste them onto that or burn them to a blank disc. Either way, don't forget that you are copy and pasting as you want to leave the original files on the clean machine.

Once you've got the files, you need to put them on your infected machine in the root of your hard drive. This will give you the following two files:

C:\winlogon.exe
C:\explorer.exe


The location is important, so make sure that you put them there. Let me know when you've got that done and we'll look at replacing the infected versions.

So long, and thanks for all the fish.

 

 


#11 windpoint

windpoint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 31 August 2010 - 02:42 PM

I have them in the root of my C drive. Both files (C:\winlogon.exe and C:\explorer.exe) are now on my infected laptop.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:40 PM

Posted 31 August 2010 - 04:44 PM

Read through the following instructions to be sure that you understand what is required and, if you are unclear about anything at all, ask BEFORE you begin:
  • Restart your computer.
  • Before Windows loads, you will be prompted to choose which Operating System to start.
  • Use the up/down arrow keys to select Microsoft Windows Recovery Console.
  • You need to tell the PC which Windows installation to access (there may be more than one) - select the C:\Windows option and press <ENTER>.
You now need to enter the following three commands, one at a time, pressing <ENTER> after each, ensuring that you do so exactly as shown:
    cd c:\windows
    ren explorer.exe explorer.old
    copy c:\explorer.exe c:\windows\explorer.exe
After entering the final command you should see the message 1 file(s) copied which indicates that it has been successful. If you do not see this message, enter the copy command again checking that you have done so correctly. If you still do not see the message, you need to enter the following command:
    ren explorer.old explorer.exe
This will restore the infected file so that your system will function correctly on reboot.

* If you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No as something hasn't gone correctly.

If the file isn't successfully copied you should exit the Recovery Console - see bottom of post. If all goes well however, run the second set of three commands:
    cd c:\windows\system32
    ren winlogon.exe winlogon.old
    copy c:\winlogon.exe c:\windows\system32\winlogon.exe
Again you should see the 1 file(s) copied message - if you don't, you should repeat the copy command and if that doesn't work you need to enter the following command:
    ren winlogon.old winlogon.exe
Again, if you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No

Once you have complete both sets of commands, or if you had issues with the first set, enter the following to exit the Recovery Console:
    exit and hit <ENTER> - this will reboot your system as normal.

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#13 windpoint

windpoint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 01 September 2010 - 09:52 AM

i did all of the steps above and they worked as described. both sets of commands worked and i exited to reboot the system. this blue screen appeared when rebooting and I am unable to boot the laptop at all:

stop:c000021a {fatal system error}

the windows logon process system process termintated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000)
the system has been shut down.



I went back to the recovery console to try to replace the old files. i did the "ren explorer.old explorer.exe" command and pressed enter and nothing happened. I did the same "ren" command for winlogon and it said this file cannot be found. laptop is incapacitated.

Edited by windpoint, 01 September 2010 - 10:18 AM.


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:40 PM

Posted 01 September 2010 - 02:18 PM

Good evening.

I'll need some more info.

Did both sets of instructions result in 1 file(s) copied confirmations when you originally used the Recovery Console?
When you re-entered the Recovery Console did you use the cd commands before you ran the ren commands?
Did the two system files that you obtained come from an XP Pro installation or a Home one?
At what point in the boot process does your PC halt?

So long, and thanks for all the fish.

 

 


#15 windpoint

windpoint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 01 September 2010 - 03:48 PM

answers to questions:

1. Yes
2. I typed the number "1" to select C:\windows and hit enter. that brought me to "C:\windows" and then I did the ren commands
3. not sure. It came from a computer that was purchased 3rd party that had XP pro on the PC.
4. when I reboot, the windows XP Professional comes up, the screen that lets you choose between rocevery or normal boot comes up, and then it goes black for about 5 to 10 seconds and then a small blue box comes up with the message.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users