Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/patched.gb


  • This topic is locked This topic is locked
15 replies to this topic

#1 chmod744mike

chmod744mike

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 13 January 2011 - 11:56 PM

Hello,

My Windows XP Home SP3 Dell Inspiron 1501 laptop was infected while my girlfriend was browsing a recipe website. AVG popped up a warning about Win32/patched.gb but said it could not be removed. Now there is no desktop or icons, only a background image and mouse cursor. I can only get into programs using task manager by doing the CTRL>ALT>DEL. Looks like everything works from there.

I looked in the system directoy for explorer.exe but found only explorer.scf. Tried renaming it to .exe with no change.

I was able to run Anti-Malware Bytes and showed no problems on a full scan.

Thanks for your help.

Mike

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 AM

Posted 14 January 2011 - 12:03 AM

Hi Mike,

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IF YOU USE AVG IT MUST BE UNINSTALLED OR THIS WILL NOT RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to mike.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 chmod744mike

chmod744mike
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 14 January 2011 - 07:17 PM

I uninstalled AVG and dowloaded and ran the combofix program (this is not easy when you can only access things using task manager).

I did not get a log file. The program ran fine. This is what I remember as it ran.

1. found 1 bad file - winlogon.exe or .com or something

2. deleted a few files and a directory - TMI something

3. rebooted

WHen it rebooted it came up to the normal logon screen like it always has done at stayed there. I thought it might continue on it's own. I eventually clicked on the admin user and logged back in but there was no change, no icons, no evidence of a log file. I can probably get it if you know where it should be and the name??

Thanks!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 AM

Posted 15 January 2011 - 12:20 PM

Hi there,

Look in C:\ComboFix.txt for it. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 chmod744mike

chmod744mike
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 17 January 2011 - 12:29 PM

OK. Well, I hadn't powered up the laptop since my last message, but when I did (the second power up) combofixw came back up and said wait for the log to popup. WHile waiting, another program popped up that I didn't recognize. Uniblue Registry Booster 2010. I suspect it may be malware???

Anyway, here is the log - Thanks!

ComboFix 11-01-14.01 - Cait 01/14/2011 18:01:36.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.555 [GMT -6:00]
Running from: c:\documents and settings\Cait\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cait\Application Data\TMInc
c:\documents and settings\Cait\Application Data\TMInc\game.cfg
c:\documents and settings\Cait\Application Data\TMInc\user1.sav
c:\windows\system32\AutoRun.inf
c:\windows\system32\nt.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
.

2011-01-15 00:13 . 2011-01-15 00:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-01-14 23:44 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-14 23:44 . 2001-08-18 04:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-14 23:44 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-14 23:44 . 2001-08-18 04:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-14 23:44 . 2001-08-18 04:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-14 23:44 . 2001-08-18 04:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-14 23:44 . 2001-08-17 18:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-14 23:44 . 2004-08-04 03:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-14 23:44 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2011-01-14 23:44 . 2004-08-04 03:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-14 23:44 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2011-01-14 23:42 . 2001-08-17 18:13 19016 ----a-w- c:\windows\system32\dllcache\w926nd.sys
2011-01-14 23:41 . 2001-08-17 19:28 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2011-01-14 23:40 . 2001-08-17 18:51 166784 ----a-w- c:\windows\system32\dllcache\tridxpm.sys
2011-01-14 23:39 . 2001-08-17 20:56 81408 ----a-w- c:\windows\system32\dllcache\tgiul50.dll
2011-01-14 23:38 . 2001-08-18 04:36 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2011-01-14 23:37 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\smimsgif.dll
2011-01-14 23:36 . 2004-08-04 03:31 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2011-01-14 23:35 . 2001-08-17 19:52 11648 ----a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-01-14 23:34 . 2001-08-17 19:57 65664 ----a-w- c:\windows\system32\dllcache\s3legacy.sys
2011-01-14 23:33 . 2004-08-04 10:00 16384 ----a-w- c:\windows\system32\dllcache\quser.exe
2011-01-14 23:32 . 2001-08-17 20:04 75776 ----a-w- c:\windows\system32\dllcache\philcam1.sys
2011-01-14 23:31 . 2001-08-17 20:05 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys
2011-01-14 23:30 . 2004-08-04 03:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-01-14 23:29 . 2001-08-17 18:50 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2011-01-14 23:28 . 2001-08-17 18:50 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-01-14 23:27 . 2001-08-17 19:51 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2011-01-14 23:26 . 2001-08-17 19:50 38784 ----a-w- c:\windows\system32\dllcache\io8.sys
2011-01-14 23:25 . 2004-08-04 10:00 10129408 ----a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-01-14 23:24 . 2001-08-18 04:36 126976 ----a-w- c:\windows\system32\dllcache\hpgt34tk.dll
2011-01-14 23:23 . 2001-08-17 18:14 441728 ----a-w- c:\windows\system32\dllcache\fpcmbase.sys
2011-01-14 23:22 . 2001-08-18 04:36 53248 ----a-w- c:\windows\system32\dllcache\eqndiag.exe
2011-01-14 23:21 . 2001-08-18 04:36 37962 ----a-w- c:\windows\system32\dllcache\divaprop.dll
2011-01-14 23:20 . 2008-04-14 00:11 249856 ----a-w- c:\windows\system32\dllcache\ctmasetp.dll
2011-01-14 23:19 . 2001-08-18 04:36 9728 ----a-w- c:\windows\system32\dllcache\brcoinst.dll
2011-01-14 05:31 . 2011-01-14 05:31 -------- d-----w- c:\program files\Palm
2011-01-13 06:46 . 2011-01-13 06:46 -------- d-----w- c:\documents and settings\Cait\Application Data\Malwarebytes
2011-01-13 06:45 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-13 06:45 . 2011-01-13 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-13 06:45 . 2011-01-13 06:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-13 06:45 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-12 03:21 . 2011-01-12 03:25 -------- d-----w- C:\48034688cc3b17b51e
2010-12-20 23:25 . 2010-12-20 23:30 -------- d-----w- C:\6203916cffe8f8ed7e724d

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\PalmDesktopShortcut.exe
2011-01-14 05:31 . 2008-07-31 16:44 40960 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut6_45BA714564B04B5DBDC240E20FCDC6DC.exe
2011-01-14 05:31 . 2008-07-31 16:44 40960 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut1_45BA714564B04B5DBDC240E20FCDC6DC.exe
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut1_1.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\ARPPRODUCTICON.exe
2011-01-14 05:31 . 2008-07-31 16:44 16694 ----a-w- c:\windows\system32\drivers\PalmUSBD.sys
2011-01-14 05:31 . 2004-06-09 19:27 53248 ----a-w- c:\windows\system32\palmdevc.dll
2010-11-18 18:12 . 2004-08-10 18:02 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-10 17:51 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-05 05:05 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2004-08-10 17:51 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2004-08-10 17:51 369664 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 17:51 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 17:51 1853312 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 10:00 . A3975A7D2C98B30A2AE010754FFB9392 . 80 . . [------] . . c:\windows\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2004-08-04 10:00 . A3975A7D2C98B30A2AE010754FFB9392 . 80 . . [------] . . c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 68856]
"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [2010-11-22 67424]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-10 1862144]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-17 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-9-17 1593425]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-10 24576]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe -logon [N/A]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
NAC Assessment Agent.lnk - c:\program files\Enterasys Networks\NAC Agent\NacAgent.exe [2009-8-12 17244472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Enterasys Networks\\NAC Agent\\NacAgent.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate1c9d78562727de4;Google Update Service (gupdate1c9d78562727de4);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2009 12:53 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-18 06:53]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-18 06:53]

2011-01-17 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-11-22 12:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mtsu.edu/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070810
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: tnjn.com\www
FF - ProfilePath - c:\documents and settings\Cait\Application Data\Mozilla\Firefox\Profiles\i6clpl1b.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://mtsu.edu/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RealArcade V3 Plugin: npmozax@real.com - c:\program files\Mozilla Firefox\extensions\npmozax@real.com
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 11:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\stsystra.exe
c:\program files\Uniblue\RegistryBooster\registrybooster.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\Symantec\LiveUpdate\AUpdate.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2011-01-17 11:26:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-17 17:26

Pre-Run: 36,220,362,752 bytes free
Post-Run: 39,247,626,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 768DD0B5D2BAB58DD0473B789FAE7757

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 AM

Posted 19 January 2011 - 12:42 PM

Hi there,

Thank you for that. :) Eh.....Uniblue is junk but not necessarily malware. If it installed, then do uninstall it. Now let's fix that Explorer.exe. :)

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FCOPY::
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
Folder::
c:\program files\Uniblue


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply. Let me know how it's running now please. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 chmod744mike

chmod744mike
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 19 January 2011 - 03:41 PM

Thanks. Problem with that - I don't have any icons! Can't drag and drop??

Curious - what is the Folder: C:\Program Files\Uniblue for?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 AM

Posted 19 January 2011 - 05:00 PM

Uniblue is a registry booster, and not a very good one at that.

Try this for ComboFix, and then we'll worry about the script : Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK: (assuming ComboFix.exe is on the desktop as was instructed)

"%userprofile%\desktop\combofix.exe"

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 chmod744mike

chmod744mike
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 19 January 2011 - 07:04 PM

OK. There is no Start button. There is nothing but a background image - no icons.

I can and have run combofix from the task manager using File>>Run. The output is posted above.

Are you wanting me to run combofix again? What I can't do is drag the previous script onto the combofix icon - there are no icons.

Is there a command line option to run the previous script with combofix?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 AM

Posted 19 January 2011 - 07:53 PM

Okay, then run it again the way you got it to run before. I just want to see a new report for now, if at all possible. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 chmod744mike

chmod744mike
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 20 January 2011 - 01:54 AM

Here is the new log.

ComboFix 11-01-14.01 - Cait 01/20/2011 0:44.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.611 [GMT -6:00]
Running from: c:\documents and settings\Cait\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 )))))))))))))))))))))))))))))))
.

2011-01-15 00:13 . 2011-01-15 00:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-01-14 23:44 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-14 23:44 . 2001-08-18 04:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-14 23:44 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-14 23:44 . 2001-08-18 04:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-14 23:44 . 2001-08-18 04:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-14 23:44 . 2001-08-18 04:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-14 23:44 . 2001-08-17 18:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-14 23:44 . 2004-08-04 03:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-14 23:44 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2011-01-14 23:44 . 2004-08-04 03:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-14 23:44 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2011-01-14 23:42 . 2001-08-17 18:13 19016 ----a-w- c:\windows\system32\dllcache\w926nd.sys
2011-01-14 23:41 . 2001-08-17 19:28 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2011-01-14 23:40 . 2001-08-17 18:51 166784 ----a-w- c:\windows\system32\dllcache\tridxpm.sys
2011-01-14 23:39 . 2001-08-17 20:56 81408 ----a-w- c:\windows\system32\dllcache\tgiul50.dll
2011-01-14 23:38 . 2001-08-18 04:36 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2011-01-14 23:37 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\smimsgif.dll
2011-01-14 23:36 . 2004-08-04 03:31 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2011-01-14 23:35 . 2001-08-17 19:52 11648 ----a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-01-14 23:34 . 2001-08-17 19:57 65664 ----a-w- c:\windows\system32\dllcache\s3legacy.sys
2011-01-14 23:33 . 2004-08-04 10:00 16384 ----a-w- c:\windows\system32\dllcache\quser.exe
2011-01-14 23:32 . 2001-08-17 20:04 75776 ----a-w- c:\windows\system32\dllcache\philcam1.sys
2011-01-14 23:31 . 2001-08-17 20:05 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys
2011-01-14 23:30 . 2004-08-04 03:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-01-14 23:29 . 2001-08-17 18:50 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2011-01-14 23:28 . 2001-08-17 18:50 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-01-14 23:27 . 2001-08-17 19:51 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2011-01-14 23:26 . 2001-08-17 19:50 38784 ----a-w- c:\windows\system32\dllcache\io8.sys
2011-01-14 23:25 . 2004-08-04 10:00 10129408 ----a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-01-14 23:24 . 2001-08-18 04:36 126976 ----a-w- c:\windows\system32\dllcache\hpgt34tk.dll
2011-01-14 23:23 . 2001-08-17 18:14 441728 ----a-w- c:\windows\system32\dllcache\fpcmbase.sys
2011-01-14 23:22 . 2001-08-18 04:36 53248 ----a-w- c:\windows\system32\dllcache\eqndiag.exe
2011-01-14 23:21 . 2001-08-18 04:36 37962 ----a-w- c:\windows\system32\dllcache\divaprop.dll
2011-01-14 23:20 . 2008-04-14 00:11 249856 ----a-w- c:\windows\system32\dllcache\ctmasetp.dll
2011-01-14 23:19 . 2001-08-18 04:36 9728 ----a-w- c:\windows\system32\dllcache\brcoinst.dll
2011-01-14 05:31 . 2011-01-14 05:31 -------- d-----w- c:\program files\Palm
2011-01-13 06:46 . 2011-01-13 06:46 -------- d-----w- c:\documents and settings\Cait\Application Data\Malwarebytes
2011-01-13 06:45 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-13 06:45 . 2011-01-13 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-13 06:45 . 2011-01-13 06:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-13 06:45 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-12 03:21 . 2011-01-12 03:25 -------- d-----w- C:\48034688cc3b17b51e

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\PalmDesktopShortcut.exe
2011-01-14 05:31 . 2008-07-31 16:44 40960 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut6_45BA714564B04B5DBDC240E20FCDC6DC.exe
2011-01-14 05:31 . 2008-07-31 16:44 40960 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut1_45BA714564B04B5DBDC240E20FCDC6DC.exe
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut1_1.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\ARPPRODUCTICON.exe
2011-01-14 05:31 . 2008-07-31 16:44 16694 ----a-w- c:\windows\system32\drivers\PalmUSBD.sys
2011-01-14 05:31 . 2004-06-09 19:27 53248 ----a-w- c:\windows\system32\palmdevc.dll
2010-11-18 18:12 . 2004-08-10 18:02 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-10 17:51 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-05 05:05 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2004-08-10 17:51 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2004-08-10 17:51 369664 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 17:51 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 17:51 1853312 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 10:00 . A3975A7D2C98B30A2AE010754FFB9392 . 80 . . [------] . . c:\windows\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2004-08-04 10:00 . A3975A7D2C98B30A2AE010754FFB9392 . 80 . . [------] . . c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 68856]
"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [2010-11-22 67424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-10 1862144]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-17 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-9-17 1593425]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-10 24576]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe -logon [N/A]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
NAC Assessment Agent.lnk - c:\program files\Enterasys Networks\NAC Agent\NacAgent.exe [2009-8-12 17244472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Enterasys Networks\\NAC Agent\\NacAgent.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate1c9d78562727de4;Google Update Service (gupdate1c9d78562727de4);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2009 12:53 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-18 06:53]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-18 06:53]

2011-01-20 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-11-22 12:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mtsu.edu/
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070810
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: tnjn.com\www
FF - ProfilePath - c:\documents and settings\Cait\Application Data\Mozilla\Firefox\Profiles\i6clpl1b.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://mtsu.edu/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RealArcade V3 Plugin: npmozax@real.com - c:\program files\Mozilla Firefox\extensions\npmozax@real.com
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-20 00:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-20 00:52:38
ComboFix-quarantined-files.txt 2011-01-20 06:52
ComboFix2.txt 2011-01-17 17:26

Pre-Run: 39,270,334,464 bytes free
Post-Run: 39,258,234,880 bytes free

- - End Of File - - 9D556069E5768066B574BCDB7FB56E1B

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 AM

Posted 21 January 2011 - 10:08 AM

Hi there,

What do you have when you start in safe mode? Can you run the script I gave you from there?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 chmod744mike

chmod744mike
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 21 January 2011 - 06:25 PM

Still no icons or Start button in Safe mode. No way to drag and drop. :(

#14 chmod744mike

chmod744mike
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 22 January 2011 - 12:53 AM

OK - New development!

I took a copy of explorer.exe from another WinXP Home SP3 laptop and put it on CD. I used Task Manager's File>>Run command to run it and - Voila - icons, start button, systray, etc.

Then I created the script and dropped it onto the CF icon and all seems to be working normally (and Uniblue is gone). The latest log is below. Am I done??

Thanks,

Mike

ComboFix 11-01-21.01 - Cait 01/21/2011 23:39:31.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.507 [GMT -6:00]
Running from: c:\documents and settings\Cait\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cait\Desktop\CFscript.txt
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Cait\LOCALS~1\Temp\ShutdownGuardian.dll
c:\documents and settings\Cait\Local Settings\temp\ShutdownGuardian.dll
c:\program files\Uniblue
c:\program files\Uniblue\RegistryBooster\cache.dll
c:\program files\Uniblue\RegistryBooster\cwebpage.dll
c:\program files\Uniblue\RegistryBooster\intermediate_views.dat
c:\program files\Uniblue\RegistryBooster\Launcher.exe
c:\program files\Uniblue\RegistryBooster\library.dat
c:\program files\Uniblue\RegistryBooster\locale\br\br.dll
c:\program files\Uniblue\RegistryBooster\locale\br\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\de\de.dll
c:\program files\Uniblue\RegistryBooster\locale\de\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\dk\dk.dll
c:\program files\Uniblue\RegistryBooster\locale\dk\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\en\en.dll
c:\program files\Uniblue\RegistryBooster\locale\en\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\es\es.dll
c:\program files\Uniblue\RegistryBooster\locale\es\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\fi\fi.dll
c:\program files\Uniblue\RegistryBooster\locale\fi\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\fr\fr.dll
c:\program files\Uniblue\RegistryBooster\locale\fr\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\gr\gr.dll
c:\program files\Uniblue\RegistryBooster\locale\gr\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\it\it.dll
c:\program files\Uniblue\RegistryBooster\locale\it\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\jp\jp.dll
c:\program files\Uniblue\RegistryBooster\locale\jp\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\nl\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\nl\nl.dll
c:\program files\Uniblue\RegistryBooster\locale\no\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\no\no.dll
c:\program files\Uniblue\RegistryBooster\locale\pl\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\pl\pl.dll
c:\program files\Uniblue\RegistryBooster\locale\pt\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\pt\pt.dll
c:\program files\Uniblue\RegistryBooster\locale\ru\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\ru\ru.dll
c:\program files\Uniblue\RegistryBooster\locale\se\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\se\se.dll
c:\program files\Uniblue\RegistryBooster\locale\tr\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\tr\tr.dll
c:\program files\Uniblue\RegistryBooster\locale\xs\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\xs\xs.dll
c:\program files\Uniblue\RegistryBooster\locale\xt\LC_MESSAGES\messages.mo
c:\program files\Uniblue\RegistryBooster\locale\xt\xt.dll
c:\program files\Uniblue\RegistryBooster\Microsoft.VC90.CRT.manifest
c:\program files\Uniblue\RegistryBooster\msvcp90.dll
c:\program files\Uniblue\RegistryBooster\msvcr90.dll
c:\program files\Uniblue\RegistryBooster\rb_move_serial.exe
c:\program files\Uniblue\RegistryBooster\rb_track_install.exe
c:\program files\Uniblue\RegistryBooster\rbmonitor.exe
c:\program files\Uniblue\RegistryBooster\rbnotifier.exe
c:\program files\Uniblue\RegistryBooster\registrybooster.exe
c:\program files\Uniblue\RegistryBooster\repair_transform.xsl
c:\program files\Uniblue\RegistryBooster\settings.ini
c:\program files\Uniblue\RegistryBooster\views.dat

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))))
.

2011-01-15 00:13 . 2011-01-15 00:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-01-14 23:44 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-14 23:44 . 2001-08-18 04:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-14 23:44 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-14 23:44 . 2001-08-18 04:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-14 23:44 . 2001-08-18 04:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-14 23:44 . 2001-08-18 04:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-14 23:44 . 2001-08-17 18:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-14 23:44 . 2004-08-04 03:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-14 23:44 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2011-01-14 23:44 . 2004-08-04 03:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-14 23:44 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2011-01-14 23:42 . 2001-08-17 18:13 19016 ----a-w- c:\windows\system32\dllcache\w926nd.sys
2011-01-14 23:41 . 2001-08-17 19:28 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2011-01-14 23:40 . 2001-08-17 18:51 166784 ----a-w- c:\windows\system32\dllcache\tridxpm.sys
2011-01-14 23:39 . 2001-08-17 20:56 81408 ----a-w- c:\windows\system32\dllcache\tgiul50.dll
2011-01-14 23:38 . 2001-08-18 04:36 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2011-01-14 23:37 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\smimsgif.dll
2011-01-14 23:36 . 2004-08-04 03:31 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2011-01-14 23:35 . 2001-08-17 19:52 11648 ----a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-01-14 23:34 . 2001-08-17 19:57 65664 ----a-w- c:\windows\system32\dllcache\s3legacy.sys
2011-01-14 23:33 . 2004-08-04 10:00 16384 ----a-w- c:\windows\system32\dllcache\quser.exe
2011-01-14 23:32 . 2001-08-17 20:04 75776 ----a-w- c:\windows\system32\dllcache\philcam1.sys
2011-01-14 23:31 . 2001-08-17 20:05 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys
2011-01-14 23:30 . 2004-08-04 03:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-01-14 23:29 . 2001-08-17 18:50 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2011-01-14 23:28 . 2001-08-17 18:50 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-01-14 23:27 . 2001-08-17 19:51 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2011-01-14 23:26 . 2001-08-17 19:50 38784 ----a-w- c:\windows\system32\dllcache\io8.sys
2011-01-14 23:25 . 2004-08-04 10:00 10129408 ----a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-01-14 23:24 . 2001-08-18 04:36 126976 ----a-w- c:\windows\system32\dllcache\hpgt34tk.dll
2011-01-14 23:23 . 2001-08-17 18:14 441728 ----a-w- c:\windows\system32\dllcache\fpcmbase.sys
2011-01-14 23:22 . 2001-08-18 04:36 53248 ----a-w- c:\windows\system32\dllcache\eqndiag.exe
2011-01-14 23:21 . 2001-08-18 04:36 37962 ----a-w- c:\windows\system32\dllcache\divaprop.dll
2011-01-14 23:20 . 2008-04-14 00:11 249856 ----a-w- c:\windows\system32\dllcache\ctmasetp.dll
2011-01-14 23:19 . 2001-08-18 04:36 9728 ----a-w- c:\windows\system32\dllcache\brcoinst.dll
2011-01-14 05:31 . 2011-01-14 05:31 -------- d-----w- c:\program files\Palm
2011-01-13 06:46 . 2011-01-13 06:46 -------- d-----w- c:\documents and settings\Cait\Application Data\Malwarebytes
2011-01-13 06:45 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-13 06:45 . 2011-01-13 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-13 06:45 . 2011-01-13 06:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-13 06:45 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-12 03:21 . 2011-01-12 03:25 -------- d-----w- C:\48034688cc3b17b51e

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\PalmDesktopShortcut.exe
2011-01-14 05:31 . 2008-07-31 16:44 40960 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut6_45BA714564B04B5DBDC240E20FCDC6DC.exe
2011-01-14 05:31 . 2008-07-31 16:44 40960 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut1_45BA714564B04B5DBDC240E20FCDC6DC.exe
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\NewShortcut1_1.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe
2011-01-14 05:31 . 2008-07-31 16:44 65536 ----a-r- c:\documents and settings\Cait\Application Data\Microsoft\Installer\{32EF6F81-583E-4127-918D-D3768A8957C4}\ARPPRODUCTICON.exe
2011-01-14 05:31 . 2008-07-31 16:44 16694 ----a-w- c:\windows\system32\drivers\PalmUSBD.sys
2011-01-14 05:31 . 2004-06-09 19:27 53248 ----a-w- c:\windows\system32\palmdevc.dll
2010-11-18 18:12 . 2004-08-10 18:02 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-10 17:51 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-05 05:05 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2004-08-10 17:51 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2004-08-10 17:51 369664 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 17:51 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 17:51 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-10 1862144]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-17 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-9-17 1593425]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-10 24576]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe -logon [N/A]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
NAC Assessment Agent.lnk - c:\program files\Enterasys Networks\NAC Agent\NacAgent.exe [2009-8-12 17244472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Enterasys Networks\\NAC Agent\\NacAgent.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate1c9d78562727de4;Google Update Service (gupdate1c9d78562727de4);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2009 12:53 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-18 06:53]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-18 06:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mtsu.edu/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070810
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: tnjn.com\www
FF - ProfilePath - c:\documents and settings\Cait\Application Data\Mozilla\Firefox\Profiles\i6clpl1b.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://mtsu.edu/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RealArcade V3 Plugin: npmozax@real.com - c:\program files\Mozilla Firefox\extensions\npmozax@real.com
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-21 23:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2476)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\Symantec\LiveUpdate\AUpdate.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2011-01-21 23:51:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-22 05:51
ComboFix2.txt 2011-01-20 06:52
ComboFix3.txt 2011-01-17 17:26

Pre-Run: 39,242,518,528 bytes free
Post-Run: 39,226,380,288 bytes free

- - End Of File - - E2C896928FF4CAFBAB0993C56ECC1508

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 AM

Posted 22 January 2011 - 01:38 PM

Perfect Mike! :clapping: Now you see why I wanted so much to have ComboFix run. :)

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Update your Adobe. It's dangerously out of date and easily exploitable by the bad guys. <_<

If you have any questions or concerns, please feel free to let me know. Otherwise, yes, we're done here. :)

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users