Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Patched Virus Found, explorer.exe, wininit.exe


  • This topic is locked This topic is locked
3 replies to this topic

#1 veri_disquo

veri_disquo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 10 November 2010 - 02:17 AM

So the story is I'm just sitting at my computer, surfing the web, when AVG pops up, telling me that explorer.exe and wininit.exe are both infected with a virus. I decided to not remove these infections because I know touching either of those two .exes would render my computer kaput, so I did a bit of googling, after that I found a help thread elsewhere from here recommending ComboFix. So I ran it, and have a log. It didn't happen to fix the problem, so here I am. Hoping somebody can help.

I run Vista 32 bit. AVG says the infection is "Virus found Win32/Patched".

Here is the log.

ComboFix 10-11-07.A2 - Josh 08/11/2010  22:50:15.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.2.1033.18.2046.1086 [GMT -7:00]
Running from: c:\users\Josh\Desktop\ComboFix1.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Microsoft\DesktopLayer.exe
c:\program files\UNWISE.EXE
c:\programdata\fiosejgfse.dll
c:\users\Josh\AppData\Local\Temp\setup.exe
c:\users\Josh\AppData\Roaming\inst.exe
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection\About.lnk
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection\Activate.lnk
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection\Buy.lnk
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection\Digital Protection Support.lnk
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection\Digital Protection.lnk
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection\Scan.lnk
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection\Settings.lnk
c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Digital Protection\Update.lnk
c:\users\Josh\FAVORI~1\_favdata.dat
c:\users\Josh\Favorites\_favdata.dat
c:\users\Josh\frapssetup.exe
c:\users\Public\Documents\Server\admin.txt
c:\users\Public\Documents\Server\server.dat
c:\windows\system32\PCLECoInst.dll

c:\windows\explorer.exe . . . is infected!!

c:\windows\System32\wininit.exe . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2010-10-09 to 2010-11-09  )))))))))))))))))))))))))))))))
.

2010-11-09 06:21 . 2010-11-09 06:23	--------	d-----w-	c:\users\Josh\AppData\Local\temp
2010-11-09 06:21 . 2010-11-09 06:21	--------	d-----w-	c:\users\TEMP\AppData\Local\temp
2010-11-09 06:21 . 2010-11-09 06:21	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-11-09 06:21 . 2010-11-09 06:21	--------	d-----w-	c:\users\Mcx1\AppData\Local\temp
2010-11-09 06:21 . 2010-11-09 06:21	--------	d-----w-	c:\users\IHopeThisWorks\AppData\Local\temp
2010-11-05 07:54 . 2010-11-05 08:40	--------	d-----w-	c:\users\Josh\AppData\Roaming\vlc
2010-11-05 07:51 . 2010-10-07 23:21	6146896	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{0273A3FA-0A4D-4A4E-8C7E-F90102AED09F}\mpengine.dll
2010-11-04 04:27 . 2010-11-04 04:27	--------	d-----w-	c:\users\Josh\AppData\Local\Octoshape
2010-11-04 03:56 . 2010-11-04 04:24	--------	d-----w-	c:\users\Josh\AppData\Local\ManyCam
2010-11-04 03:55 . 2010-11-04 03:56	--------	d-----w-	c:\program files\Ask.com
2010-10-30 20:38 . 2010-10-30 20:38	--------	d-----w-	c:\users\Josh\AppData\Local\Western Digital
2010-10-27 05:34 . 2010-10-27 05:34	--------	d-----w-	c:\users\Josh\AppData\Local\FalloutNV
2010-10-27 00:27 . 2010-08-26 16:34	1696256	----a-w-	c:\windows\system32\gameux.dll
2010-10-27 00:27 . 2010-08-26 16:33	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2010-10-27 00:27 . 2010-08-26 14:23	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-24 02:34 . 2010-10-24 02:34	--------	d-----w-	c:\program files\iPod
2010-10-23 23:46 . 2010-10-28 06:11	16856	----a-w-	c:\program files\Mozilla Firefox\plugin-container.exe
2010-10-23 23:46 . 2010-10-28 06:11	719832	----a-w-	c:\program files\Mozilla Firefox\mozcpp19.dll
2010-10-23 20:57 . 2010-10-23 20:57	94208	----a-w-	c:\windows\DIIUnin.exe
2010-10-23 20:57 . 2010-10-23 20:57	2829	----a-w-	c:\windows\DIIUnin.pif
2010-10-23 19:12 . 2010-10-23 19:12	--------	d-----w-	c:\users\Josh\AppData\Roaming\RayV
2010-10-23 19:12 . 2010-10-23 19:12	--------	d-----w-	c:\program files\RayV
2010-10-22 08:15 . 2010-10-22 08:15	--------	d-----w-	c:\users\Josh\AppData\Roaming\BeatportDownloader.EE670286545758FAB4A69D4439CF6054F83E0AC2.1
2010-10-22 08:15 . 2010-10-22 08:15	--------	d-----w-	c:\program files\BeatportDownloader
2010-10-16 20:30 . 2010-10-16 20:30	--------	d-----w-	c:\users\Josh\AppData\Roaming\Octoshape
2010-10-14 00:48 . 2010-09-06 16:20	125952	----a-w-	c:\windows\system32\srvsvc.dll
2010-10-14 00:48 . 2010-09-06 13:45	304128	----a-w-	c:\windows\system32\drivers\srv.sys
2010-10-14 00:48 . 2010-09-06 13:45	145408	----a-w-	c:\windows\system32\drivers\srv2.sys
2010-10-14 00:48 . 2010-09-06 13:45	102400	----a-w-	c:\windows\system32\drivers\srvnet.sys
2010-10-14 00:48 . 2010-09-06 16:19	17920	----a-w-	c:\windows\system32\netevent.dll
2010-10-14 00:48 . 2010-09-13 13:56	168960	----a-w-	c:\program files\Windows Media Player\wmplayer.exe
2010-10-14 00:48 . 2010-09-13 13:56	8147456	----a-w-	c:\windows\system32\wmploc.DLL
2010-10-14 00:46 . 2010-08-31 15:44	531968	----a-w-	c:\windows\system32\comctl32.dll
2010-10-12 22:43 . 2010-10-12 22:43	--------	d-----w-	C:\Diablo
2010-10-12 22:43 . 2010-10-12 22:43	86528	----a-w-	c:\windows\bnetunin.exe
2010-10-12 22:43 . 2010-10-12 22:43	61440	----a-w-	c:\windows\diabunin.exe
2010-10-11 21:23 . 2010-10-11 21:23	--------	d-----w-	c:\program files\Borderlands 1.3.1 + all DLCs

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-23 23:32 . 2008-02-10 00:19	21840	----atw-	c:\windows\system32\SIntfNT.dll
2010-10-23 23:32 . 2008-02-10 00:19	17212	----atw-	c:\windows\system32\SIntf32.dll
2010-10-23 23:32 . 2008-02-10 00:19	12067	----atw-	c:\windows\system32\SIntf16.dll
2010-10-19 17:41 . 2009-10-03 03:46	222080	------w-	c:\windows\system32\MpSigStub.exe
2010-09-08 17:17 . 2010-09-08 17:17	94208	----a-w-	c:\windows\system32\QuickTimeVR.qtx
2010-09-08 17:17 . 2010-09-08 17:17	69632	----a-w-	c:\windows\system32\QuickTime.qts
2010-08-26 16:33 . 2010-10-27 00:27	173056	----a-w-	c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-27 00:27	458752	----a-w-	c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-27 00:27	2159616	----a-w-	c:\windows\apppatch\AcGenral.dll
2010-08-26 16:33 . 2010-10-27 00:27	542720	----a-w-	c:\windows\apppatch\AcLayers.dll
2010-08-24 09:26 . 2007-05-18 20:12	319456	----a-w-	c:\windows\DIFxAPI.dll
2010-08-17 14:11 . 2010-09-15 07:55	128000	----a-w-	c:\windows\system32\spoolsv.exe
2009-07-14 00:16 . 2009-07-14 00:16	1044480	----a-w-	c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16	200704	----a-w-	c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-04-11 . 60D156CF260E6EB9676A4B3E69C7A27F . 2926592 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2009-04-11 . D07D4C3038F3578FFCE1C0237F2A1253 . 2926592 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-01-19 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[7] 2007-11-14 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2007-11-14 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[7] 2006-11-02 . FD8C53FB002217F6F888BCF6F5D7084D . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[-] 2008-01-19 . 1C263430FC095E049CFD8BE14A298F77 . 96768 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2008-01-19 . 101BA3EA053480BB5D957EF37C06B5ED . 96768 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[7] 2006-11-02 . D4385B03E8CCCEE6F0EE249F827C1F3E . 95744 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{c0766b46-82cf-4d08-b47e-a4b85928028b}"= "c:\program files\SeeToo_for_Justin.tv\tbSee1.dll" [2009-03-14 1883672]

[HKEY_CLASSES_ROOT\clsid\{c0766b46-82cf-4d08-b47e-a4b85928028b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c0766b46-82cf-4d08-b47e-a4b85928028b}]
2009-03-14 17:29	1883672	----a-w-	c:\program files\SeeToo_for_Justin.tv\tbSee1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c0766b46-82cf-4d08-b47e-a4b85928028b}"= "c:\program files\SeeToo_for_Justin.tv\tbSee1.dll" [2009-03-14 1883672]

[HKEY_CLASSES_ROOT\clsid\{c0766b46-82cf-4d08-b47e-a4b85928028b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C0766B46-82CF-4D08-B47E-A4B85928028B}"= "c:\program files\SeeToo_for_Justin.tv\tbSee1.dll" [2009-03-14 1883672]

[HKEY_CLASSES_ROOT\clsid\{c0766b46-82cf-4d08-b47e-a4b85928028b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sidebar"="c:\program files\Windows Sidebar\SideBar.exe" [2009-04-11 1233920]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"PlayNC Launcher"="c:\program files\NCSoft\Launcher\NCLauncher.exe" [2010-10-14 38184]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2008-04-27 548528]
"Google Update"="c:\users\Josh\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4333568]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Octoshape Streaming Services"="c:\users\Josh\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"RayV"="c:\program files\RayV\RayV\RayV.exe" [2010-10-21 2839848]
"ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2010-04-21 1824040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-10-16 202312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 92704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-6-27 1018856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"=mapledxp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 04:16	39792	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 21:51	177440	----a-w-	c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
2007-03-13 00:44	1773568	----a-w-	c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 08:10	421160	----a-w-	c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-02-18 20:44	13683232	----a-w-	c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-02-18 20:44	92704	----a-w-	c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17	421888	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
2005-05-18 00:21	147456	----a-w-	c:\program files\Razer\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 10:27	144784	----a-w-	c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-01-04 255488]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-01 34384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-11-01 717296]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-19 335240]
S1 mapledxp;mapledxp;c:\windows\System32\drivers\mapledxp.SYS [2004-04-05 24720]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-19 297752]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-19 16:01]

2010-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2237508104-4246592736-3634453547-1000Core.job
- c:\users\Josh\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-08 03:22]

2010-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2237508104-4246592736-3634453547-1000UA.job
- c:\users\Josh\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-08 03:22]

2010-11-09 c:\windows\Tasks\User_Feed_Synchronization-{66ED10DF-C747-4AB3-ADEF-FCA7C508DA73}.job
- c:\windows\system32\msfeedssync.exe [2008-06-18 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = "hxxp://www.daemon-search.com/startpage
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Toolbar Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\kyikeaaj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2079528&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php|http://tinychat.com/um
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2079528&SearchSource=2&q=
FF - component: c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\kyikeaaj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Josh\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-USB2Check - c:\windows\system32\PCLECoInst.dll
MSConfigStartUp-TuneClone - c:\program files\TuneClone\TuneClone.exe
MSConfigStartUp-USB2Check - c:\windows\system32\PCLECoInst.dll
AddRemove-HaaliMkx - c:\program files\Haali\MatroskaSplitter\uninstall.exe
AddRemove-Virtual DJ - Atomix Productions - l:\downlo~1\uTorrent\VIRTUA~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-08 23:23
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2237508104-4246592736-3634453547-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:b8,36,a8,1c,65,30,09,2b,cd,83,59,e9,8d,cf,75,c1,4a,14,89,54,0a,
   8e,ce,99,33,a8,94,72,30,aa,ae,c6,27,38,8e,0d,9b,f2,db,47,60,38,de,77,8f,4e,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-08  23:33:05
ComboFix-quarantined-files.txt  2010-11-09 06:33

Pre-Run: 20,709,728,256 bytes free
Post-Run: 22,786,134,016 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - BA344B9EC0EB5C65622E286757E0B05C


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 PM

Posted 17 November 2010 - 08:57 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 PM

Posted 20 November 2010 - 12:34 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:17 PM

Posted 23 November 2010 - 12:27 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users