Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Patched-UE, win32:winpatch found by Avast. No desktop, in safe mode


  • This topic is locked This topic is locked
10 replies to this topic

#1 blueskidoo

blueskidoo

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 22 January 2011 - 01:25 AM

Hello computer saviors,

I need help. I have a Motion Computing LE1600 tablet PC running XP service pack 3. I was surfing the web and Avast said a threat was detected, and I thought it was stopped. Sadly, it wasn't and when I turned my computer back on the desktop was without a start bar or desktop icons. Through cont/alt/del I was able to access task manager, and run some things through there. I tried to run a system restor, but the only point I could access didn't change the situation. I restarted the computer in safe mode, and scanned with Malwarebytes, which found nothing, and Avast, which found 4 infected files. The flies are C:\Windows\Explorer.EXE (Threat Win32:Patched-UE [Tr]), c:\windows\system32\winlogon.exe (threat win32:winpatch), c:\windows\explorer.exe (threat win32:winpatch), c:\windows\system32\winlogon.exe (threat win32:winpatch) When I try to "move to chest" the error says the files are read only. Interestingly, when I went in the windows folder, there are 3 files explorer.exe, explorer(2).exe and explorer(3).exe I don't know why that is. I tried changing the file access to allow changes, but that didn't help.

I am currently running the system in safe mode, because I can see and use the desktop that way and I am logging this on another PC. I am attaching the dds logs, and I am waiting on gmer to stop scanning. I made the logs in safe mode. If I need to reboot and go out of safe mode to do them, I can try to do that. As soon as gmer is done I'll post that.

I have managed to defeat some baddies in the past, but I am not getting anywhere with this one. If anyone could point me to an article on better system security that would be great too.

Thank you for any assistance.


DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Callie at 23:44:29.68 on Fri 01/21/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1156 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\McRes_MM.exe
svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Documents and Settings\Callie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [ATSwpNav] c:\progra~1\softex\omnipass\ATSwpNav.exe -run
mRun: [MotionComputingMonitor] c:\windows\system32\McMon.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [MaxtorOneTouch] c:\program files\maxtor\managerapp\Onetouch.exe
mRun: [<NO NAME>]
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\callie\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\callie\startm~1\programs\startup\sticky~1.lnk - c:\windows\system32\stikynot.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236368233500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: mclaunch - c:\\windows\\system32\\mclaunch.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\callie\applic~1\mozilla\firefox\profiles\65v3evku.default\
FF - component: c:\documents and settings\callie\application data\mozilla\firefox\profiles\65v3evku.default\extensions\optout@dubfire.net\lib\winnt\ff3\AbineComponent.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: TACO with Abine: optout@dubfire.net - %profile%\extensions\optout@dubfire.net
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Clip to OneNote: {966762eb-7132-4081-ac70-20d20161ad96} - %profile%\extensions\{966762eb-7132-4081-ac70-20d20161ad96}

============= SERVICES / DRIVERS ===============

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-2-13 36352]
R3 MSTabBtn;Motion Computing Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2009-2-13 17408]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2011-1-21 594048]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2010-12-2 14208]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-17 294608]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-17 17744]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-17 40384]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]

=============== Created Last 30 ================

2011-01-22 04:08:27 594048 ----a-r- c:\windows\system32\drivers\RTL8192su.sys
2011-01-21 06:18:59 2855 ----a-w- c:\windows\explorer.PIF
2011-01-21 06:18:17 -------- d--h--w- c:\windows\PIF
2011-01-21 02:07:37 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-21 02:07:37 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-17 19:47:06 38848 ----a-w- c:\windows\avastSS.scr
2011-01-17 17:16:38 -------- d-----w- c:\docume~1\callie\applic~1\.clamwin
2011-01-17 17:16:37 -------- d-----w- c:\program files\ClamWin
2011-01-17 17:16:37 -------- d-----w- c:\documents and settings\all users\.clamwin
2011-01-03 04:59:59 -------- d-----w- c:\docume~1\callie\applic~1\SUPERAntiSpyware.com
2011-01-03 04:54:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-23 17:22:10 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-23 17:17:53 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 23:44:56.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 blueskidoo

blueskidoo
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 22 January 2011 - 01:31 AM

gmer log

Attached Files

  • Attached File  ark.txt   1.02KB   2 downloads


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 AM

Posted 22 January 2011 - 09:50 PM

Hello blueskidoo ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to blueskidoo.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 blueskidoo

blueskidoo
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 23 January 2011 - 11:30 AM

Hi!

That program sounds serious! Do I run this in Safe mode? Or should I run it in a full boot up (where there is no desktop)?

Thanks so much!

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 AM

Posted 23 January 2011 - 12:04 PM

Hello there,

Just run it in normal mode....it'll do the rest. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 blueskidoo

blueskidoo
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 23 January 2011 - 08:41 PM

So, in preparation to run Combofix I uninstalled Avast, and when the computer restarted to complete the uninstall windows said "windows has recovered from a serious error" the desktop came back! Interesting.

I started Combofix, and the computer connected to the internet like it should and Combofix updated.

A bar went across the screen after the window stated "attempting to create a new system restore point". It seemed to complete correctly.

It asked me to install "Microsoft recovery console" and I said yes. (good thing the internet connection came back up)

The recovery console installed successfully.

After combo fix found the winlogon.exe file and said it was successfully fixed, it said it found the explorer.exe infection but it didn't say that was successfully fixed. Combofix restarted the computer and the desktop is gone again.

I waited for a while and nothing happened so I went through task manager and typed combofix which ran the program again (I hope that is ok-I didn't mean to run it again)

It ran again, restarted the computer again and now the desktop is back and the Combofix window is preparing a log. And here it is- Thanks so much for looking at this.

ComboFix 11-01-23.03 - Callie 01/23/2011 20:13:51.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1142 [GMT -5:00]
Running from: c:\documents and settings\Callie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\explorer(2).exe
c:\windows\explorer(3).exe
c:\windows\SET172D.tmp
c:\windows\system\oeminfo.ini
c:\windows\system32\nt.dll
c:\windows\system32\Thumbs.db

-- Previous Run --

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

c:\windows\explorer.exe . . . is infected!!

--------

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-24 to 2011-01-24 )))))))))))))))))))))))))))))))
.

2011-01-22 04:08 . 2010-01-06 09:21 594048 ----a-r- c:\windows\system32\drivers\RTL8192su.sys
2011-01-21 06:18 . 2011-01-21 06:18 2855 ----a-w- c:\windows\explorer.PIF
2011-01-21 06:18 . 2011-01-21 06:18 -------- d--h--w- c:\windows\PIF
2011-01-21 04:15 . 2011-01-21 04:15 -------- d-----w- c:\documents and settings\new account
2011-01-21 02:07 . 2011-01-21 02:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-20 03:21 . 2011-01-20 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-01-17 19:47 . 2011-01-17 19:47 -------- d-----w- c:\documents and settings\Callie\Application Data\Talkback
2011-01-17 17:16 . 2011-01-17 17:16 -------- d-----w- c:\documents and settings\Callie\Application Data\.clamwin
2011-01-17 17:16 . 2011-01-17 17:16 -------- d-----w- c:\program files\ClamWin
2011-01-17 17:16 . 2011-01-17 17:16 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-01-14 06:34 . 2011-01-14 06:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-01-03 04:59 . 2011-01-03 04:59 -------- d-----w- c:\documents and settings\Callie\Application Data\SUPERAntiSpyware.com
2011-01-03 04:54 . 2011-01-21 02:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-01 22:05 . 2011-01-17 17:22 -------- d-----w- c:\program files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2009-03-07 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-03-07 16:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 03:55 . 2010-12-05 03:55 29184 ----a-r- c:\documents and settings\Callie\Application Data\Microsoft\Installer\{106F886B-A874-43DF-BCC4-01DB57E1F3C6}\IconTmpl5.26D6FF13_F77C_402E_8E96_9E49DFBBAF31.exe
2010-12-05 03:46 . 2010-12-05 03:46 81920 ----a-r- c:\documents and settings\Callie\Application Data\Microsoft\Installer\{5E71102C-2CEB-4C8B-99D3-D33B9741EEDA}\NewShortcut2_4860F63B0A4E4F89B6CE0FC7858D8CE4.exe
2010-12-05 03:46 . 2010-12-05 03:46 81920 ----a-r- c:\documents and settings\Callie\Application Data\Microsoft\Installer\{5E71102C-2CEB-4C8B-99D3-D33B9741EEDA}\NewShortcut3_4860F63B0A4E4F89B6CE0FC7858D8CE4.exe
2010-12-05 03:46 . 2010-12-05 03:46 81920 ----a-r- c:\documents and settings\Callie\Application Data\Microsoft\Installer\{5E71102C-2CEB-4C8B-99D3-D33B9741EEDA}\ARPPRODUCTICON.exe
2010-12-02 22:43 . 2009-03-08 04:55 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2009-02-13 22:16 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 07:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 07:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 07:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2010-12-03 00:25 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 07:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2010-12-03 00:25 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2006-02-21 1703936]
"ATSwpNav"="c:\progra~1\Softex\OmniPass\ATSwpNav.exe" [2006-02-21 1048576]
"MotionComputingMonitor"="c:\windows\system32\McMon.exe" [2006-08-17 135168]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-04 86016]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-11-08 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-11-08 696320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ACU"="c:\program files\Atheros\ACU.exe" [2004-12-27 286720]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

c:\documents and settings\Callie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Sticky Notes.lnk - c:\windows\system32\stikynot.exe [2009-2-13 159232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2004-12-24 479232]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mclaunch]
2006-01-18 16:54 53367 ----a-w- c:\windows\system32\mclaunch.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-02-21 21:29 49152 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 11:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\Hotsync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2/13/2009 5:47 PM 36352]
R3 MSTabBtn;Motion Computing Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2/13/2009 5:45 PM 17408]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [12/2/2010 7:27 PM 14208]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 2:00 AM 14336]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/21/2011 11:08 PM 594048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Callie\Application Data\Mozilla\Firefox\Profiles\65v3evku.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: TACO with Abine: optout@dubfire.net - %profile%\extensions\optout@dubfire.net
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Clip to OneNote: {966762eb-7132-4081-ac70-20d20161ad96} - %profile%\extensions\{966762eb-7132-4081-ac70-20d20161ad96}
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-23 20:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\athgina.dll
c:\windows\system32\athcfg11.dll
c:\windows\system32\athcfg11Res.dll
c:\windows\System32\mclaunch.dll
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'explorer.exe'(4104)
c:\windows\system32\WININET.dll
c:\program files\Softex\OmniPass\SCUREDLL.dll
c:\windows\system32\ieframe.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\windows\system32\McRes_MM.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\acs.exe
c:\windows\system32\Dashsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\program files\Softex\OmniPass\Omniserv.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
.
**************************************************************************
.
Completion time: 2011-01-23 20:28:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-24 01:28

Pre-Run: 38,870,396,928 bytes free
Post-Run: 38,828,761,088 bytes free

- - End Of File - - 50334000582BD99CF43B64D13D23A2BA

Edited by blueskidoo, 23 January 2011 - 08:48 PM.


#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 AM

Posted 23 January 2011 - 11:00 PM

Good. :thumbup2: Thank you so much for the info too.....it really helps. :)

I see you have MBAM. Please make sure it's updated and have a scan with it.....a quick scan will do, and post the report in your reply.

I know you said the desktop is back....how is it running besides?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 blueskidoo

blueskidoo
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 24 January 2011 - 07:40 AM

The computer seems to be running well. Now the question is- how to keep it that way. What should I be running on my computer to keep the bleeping malware off? Here is the log from MBAM. Thanks so much.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5585

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/24/2011 12:27:26 AM
mbam-log-2011-01-24 (00-27-26).txt

Scan type: Full scan (C:\|)
Objects scanned: 225503
Time elapsed: 54 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 AM

Posted 25 January 2011 - 06:51 PM

Hello there,

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

You have what you need to protect your computer...the problem is NO program can catch everything, whether it's the most expensive or totally free. Malware these days is extremely sneaky and can get past anything. <_< All you can really do is make sure everything is updated to keep out the majority, and be really careful where you go and what you click on.

If you have any questions or concerns, please feel free to let me know. Otherwise......

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 blueskidoo

blueskidoo
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 25 January 2011 - 11:24 PM

Thanks so much for all of your help. I sent you a donation. It doesn't reflect what your help was worth, but times are tight here. Thanks again.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 AM

Posted 12 February 2011 - 03:08 PM

I appreciate the kind words and the donation equally. Thank you. :inlove:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users