Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severe Bamital-AO Infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 Will TX

Will TX

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 24 January 2011 - 06:20 PM

I have recently discovered that my laptop has been infected with a Bamital virus. The only unusual thing I have noticed is that Google search results in Firefox often get redirected to 'spam' sites and occasionally redirected to 'Reported attack sites'. I am currently using Avast antivirus. A full system scan on 1/23/11 revealed Win32:Bamital-AO threat on wininit.exe and explorer.exe as well as an Error: Reached end of file on d:\i386\Apps\App501740\pss\j4sp8w2k.exe|>[Emul]|>_sfx_manifest_. This morning (1/24/11) a boot scan also reported Win32:Bamital-AO threat on wininit.exe and explorer.exe. I have run defogger and disabled my CD emulation, run dds.scr and have the reports, and attempted to run GMER but 2 out of 2 times the computer has shown a blue screen and then shut down.

This is the dds.scr report "DDS" report:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Joe Ligon at 16:32:14.74 on Mon 01/24/2011
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.137 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\AeroSnap\AeroSnap.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Tether\Tether.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System\w98eject.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\fsproflt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tether\TBService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\MsiExec.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\Users\JOELIG~1\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IDriver.NonElevated.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Joe Ligon\Desktop\dds.scr
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Internet
uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8715
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8715
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8715
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8715
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {F156768E-81EF-470C-9057-481BA8380DBA} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [AeroSnap] c:\program files\aerosnap\AeroSnap.exe
uRun: [Google Update] "c:\users\joe ligon\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tether.lnk - c:\program files\tether\Tether.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\w98eject.lnk - c:\windows\system\w98eject.exe
IE: &Download All with FlashGet - c:\users\joe ligon\will's documents\downloads\programs\flash get\jc_all.htm
IE: &Download with FlashGet - c:\users\joe ligon\will's documents\downloads\programs\flash get\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\users\joe ligon\desktop\FlashGet.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {216E0613-9824-4247-BC8D-F836F36B5738} = 204.94.234.10,204.94.234.5
TCP: {8583DC82-BCE2-4B4C-91D0-1C08D78B1144} = 208.67.222.222,208.67.220.220
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\joelig~1\appdata\roaming\mozilla\firefox\profiles\3s5z8kuw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - component: c:\users\joe ligon\appdata\roaming\mozilla\firefox\profiles\3s5z8kuw.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\joe ligon\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Unhide Passwords: {2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0} - %profile%\extensions\{2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0}
FF - Ext: ConfigurationMania?: {c4d362ec-1cff-4ca0-9031-99a8fad7995a} - %profile%\extensions\{c4d362ec-1cff-4ca0-9031-99a8fad7995a}
FF - Ext: AnyColor: anycolor.pavlos256@gmail.com - %profile%\extensions\anycolor.pavlos256@gmail.com
FF - Ext: ShadGlo Library Toolbar: {0a6525b8-7c08-451e-b443-970c9bc2f246} - %profile%\extensions\{0a6525b8-7c08-451e-b443-970c9bc2f246}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: Add to Search Bar: add-to-searchbox@maltekraus.de - %profile%\extensions\add-to-searchbox@maltekraus.de
FF - Ext: Auto Save Document: {CADFF07D-A9E4-42f7-BC89-77A435BFE9E4} - %profile%\extensions\{CADFF07D-A9E4-42f7-BC89-77A435BFE9E4}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Exif Viewer: exif_viewer@mozilla.doslash.org - %profile%\extensions\exif_viewer@mozilla.doslash.org
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: KeepTube Downloader: webmaster@keep-tube.com - %profile%\extensions\webmaster@keep-tube.com
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {9212749C-3524-42CA-9580-BDABD0466C78} - c:\users\joe ligon\appdata\local\{9212749C-3524-42CA-9580-BDABD0466C78}

============= SERVICES / DRIVERS ===============

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2009-12-22 43792]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-22 294608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-28 335240]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2007-11-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-28 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-22 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-1-22 51280]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-23 40384]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-12-22 136192]
R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2009-9-16 45608]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 335872]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-8 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-11 38224]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2010-10-22 13312]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-8-26 9472]

=============== Created Last 30 ================

2011-01-23 02:01:28 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-23 02:00:51 38848 ----a-w- c:\windows\avastSS.scr
2011-01-23 01:34:27 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{003310da-1696-4bd4-a594-acd527b76d44}\mpengine.dll
2011-01-20 12:29:46 16896 ----a-w- c:\windows\system32\winusb.dll
2011-01-20 12:29:45 34944 ----a-w- c:\windows\system32\drivers\winusb.sys
2011-01-20 12:20:44 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-01-20 12:20:43 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-01-16 03:23:01 -------- d-----w- c:\users\joe ligon\RsCache1
2011-01-15 23:18:17 -------- d-----w- C:\relentless-scape2
2011-01-15 03:06:28 -------- d-----w- C:\.562_cache_32v4
2011-01-15 02:52:49 -------- d-----w- C:\cache525
2011-01-14 22:55:46 89600 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HPZPPLHN.DLL
2011-01-10 20:58:03 -------- d-----w- C:\29537aa5d3885ad4a149
2011-01-09 19:11:25 -------- d-----w- c:\program files\uTorrent
2011-01-03 23:32:46 352256 ----a-w- c:\windows\msvcr71.dll
2010-12-31 01:55:24 -------- d-----w- c:\users\joelig~1\appdata\local\Apple Computer
2010-12-28 14:43:53 -------- d-----w- c:\users\joe ligon\.RegretScape_V2
2010-12-28 02:28:08 -------- d-----w- c:\users\joelig~1\appdata\roaming\.minecraft

==================== Find3M ====================

2010-12-14 03:37:45 716800 ----a-w- c:\windows\iun6002.exe
2010-12-13 00:19:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-01 00:18:33 256 ----a-w- c:\windows\system32\pool.bin
2010-11-17 16:34:26 851176 ----a-w- c:\windows\system32\winusbcoinstaller2.dll
2010-11-17 16:34:26 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll

============= FINISH: 16:35:22.67 ===============



And I have attached the "Attach" report from dds.scrAttached File  Attach.txt   4.17KB   0 downloads

Edited by Will TX, 24 January 2011 - 06:29 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:29 PM

Posted 27 January 2011 - 11:25 PM

Hello Will TX ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to WillTX.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Will TX

Will TX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 28 January 2011 - 08:56 AM

EDIT: Combofix just finished and now my task bar(?) at the bottom is gone. I tried starting explorer.exe manually with the task manager and it says it cannot open that because it contains a virus.
And here is the combofix log:


ComboFix 11-01-27.05 - Joe Ligon 01/28/2011 7:28.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.276 [GMT -6:00]
Running from: c:\users\Joe Ligon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\program files\Internet Explorer\dmlconf.dat
c:\programdata\windows
c:\users\Joe Ligon\AppData\Local\{9212749C-3524-42CA-9580-BDABD0466C78}
c:\users\Joe Ligon\AppData\Local\{9212749C-3524-42CA-9580-BDABD0466C78}\chrome.manifest
c:\users\Joe Ligon\AppData\Local\{9212749C-3524-42CA-9580-BDABD0466C78}\chrome\content\_cfg.js
c:\users\Joe Ligon\AppData\Local\{9212749C-3524-42CA-9580-BDABD0466C78}\chrome\content\overlay.xul
c:\users\Joe Ligon\AppData\Local\{9212749C-3524-42CA-9580-BDABD0466C78}\install.rdf
c:\users\Joe Ligon\AppData\Roaming\Microsoft\Windows\Recent\Notepad.url
c:\windows\system32\c_dll.dll
c:\windows\system32\twunk_32.exe
D:\autorun.inf

c:\windows\explorer.exe . . . is infected!!

c:\windows\System32\wininit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-28 14:18 . 2011-01-28 14:20 -------- d-----w- c:\users\Joe Ligon\AppData\Local\temp
2011-01-28 14:18 . 2011-01-28 14:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-26 23:46 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E09F7183-D070-4E7A-A42E-CB26657DE6A0}\mpengine.dll
2011-01-23 20:22 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-23 20:22 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-23 20:22 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-23 02:01 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-23 02:01 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-23 02:01 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-23 02:01 . 2011-01-13 08:37 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-23 02:00 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-23 02:00 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-20 12:29 . 2009-07-14 12:12 16896 ----a-w- c:\windows\system32\winusb.dll
2011-01-20 12:29 . 2009-07-14 12:12 34944 ----a-w- c:\windows\system32\drivers\winusb.sys
2011-01-20 12:20 . 2009-07-14 01:19 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-01-20 12:20 . 2009-07-14 01:19 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-01-16 03:23 . 2011-01-16 03:23 -------- d-----w- c:\users\Joe Ligon\RsCache1
2011-01-15 23:18 . 2011-01-15 23:19 -------- d-----w- C:\relentless-scape2
2011-01-15 03:06 . 2011-01-15 03:06 -------- d-----w- C:\.562_cache_32v4
2011-01-15 02:52 . 2011-01-15 02:52 -------- d-----w- C:\cache525
2011-01-14 22:55 . 2006-11-02 09:46 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
2011-01-10 20:58 . 2011-01-11 01:50 -------- d-----w- C:\29537aa5d3885ad4a149
2011-01-09 19:11 . 2011-01-09 19:11 -------- d-----w- c:\program files\uTorrent
2011-01-03 23:32 . 2011-01-03 23:32 352256 ----a-w- c:\windows\msvcr71.dll
2010-12-31 01:55 . 2010-12-31 01:55 -------- d-----w- c:\users\Joe Ligon\AppData\Local\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-19 03:08 . 2010-12-19 03:08 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-14 03:37 . 2010-12-14 03:38 716800 ----a-w- c:\windows\iun6002.exe
2010-12-13 00:19 . 2010-12-13 00:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:42 . 2010-12-11 21:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-12-11 21:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-17 16:34 . 2010-12-18 15:05 851176 ----a-w- c:\windows\system32\winusbcoinstaller2.dll
2010-11-17 16:34 . 2010-12-18 15:05 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
.

------- Sigcheck -------

[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6001.22298] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6001.18164] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[-] 2008-10-29 . 0402EE311ABCCEE785251555DD1B1D7A . 2923520 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16771] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.20947] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2007-11-15 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16549] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2007-11-15 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.20668] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[7] 2006-11-02 . FD8C53FB002217F6F888BCF6F5D7084D . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[-] 2006-11-02 . 17764F060DA588A44FC336685CDB1D00 . 95744 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2006-11-02 . D4385B03E8CCCEE6F0EE249F827C1F3E . 95744 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-07 886784]
"Google Update"="c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-16 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-10 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Tether.lnk - c:\program files\Tether\Tether.exe [2010-12-18 828344]
w98Eject.lnk - c:\windows\System\w98eject.exe [2007-11-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1971379169-3407567061-680115831-1000]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1971379169-3407567061-680115831-500]
"EnableNotificationsRef"=dword:00000002

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 136176]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-29 38224]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2010-09-02 13312]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
R3 qrkis;Tether Miniport;c:\windows\system32\DRIVERS\qrkis.sys [2009-07-31 45608]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-19 717296]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-06 43792]
S1 aswSP;aswSP; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-02-28 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-02-28 108552]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-12-01 136192]
S2 Tether;Tether;c:\program files\Tether\TBService.exe [2010-11-18 52664]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb98d3461a7309.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 12:25]

2011-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1971379169-3407567061-680115831-1000Core.job
- c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-16 18:53]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1971379169-3407567061-680115831-1000UA.job
- c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-16 18:53]

2011-01-28 c:\windows\Tasks\User_Feed_Synchronization-{0AAEA149-75EA-46A6-8B42-C2ECC838D8D9}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8715
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\users\Joe Ligon\Will's Documents\Downloads\Programs\Flash Get\jc_all.htm
IE: &Download with FlashGet - c:\users\Joe Ligon\Will's Documents\Downloads\Programs\Flash Get\jc_link.htm
TCP: {216E0613-9824-4247-BC8D-F836F36B5738} = 204.94.234.10,204.94.234.5
TCP: {8583DC82-BCE2-4B4C-91D0-1C08D78B1144} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Joe Ligon\AppData\Roaming\Mozilla\Firefox\Profiles\3s5z8kuw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Unhide Passwords: {2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0} - %profile%\extensions\{2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0}
FF - Ext: ConfigurationMania?: {c4d362ec-1cff-4ca0-9031-99a8fad7995a} - %profile%\extensions\{c4d362ec-1cff-4ca0-9031-99a8fad7995a}
FF - Ext: AnyColor: anycolor.pavlos256@gmail.com - %profile%\extensions\anycolor.pavlos256@gmail.com
FF - Ext: ShadGlo Library Toolbar: {0a6525b8-7c08-451e-b443-970c9bc2f246} - %profile%\extensions\{0a6525b8-7c08-451e-b443-970c9bc2f246}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: Add to Search Bar: add-to-searchbox@maltekraus.de - %profile%\extensions\add-to-searchbox@maltekraus.de
FF - Ext: Auto Save Document: {CADFF07D-A9E4-42f7-BC89-77A435BFE9E4} - %profile%\extensions\{CADFF07D-A9E4-42f7-BC89-77A435BFE9E4}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Exif Viewer: exif_viewer@mozilla.doslash.org - %profile%\extensions\exif_viewer@mozilla.doslash.org
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: KeepTube Downloader: webmaster@keep-tube.com - %profile%\extensions\webmaster@keep-tube.com
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 08:19
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1971379169-3407567061-680115831-1000\Software\SecuROM\License information*]
"datasecu"=hex:8b,b9,f3,97,1d,bd,d1,12,1a,13,5f,9c,e8,62,3e,10,98,22,61,b9,0e,
53,83,ff,7a,4c,33,e9,9a,2a,70,7b,a9,57,82,c6,08,c0,30,74,be,78,d9,7f,a3,e7,\
"rkeysecu"=hex:82,f8,18,a4,eb,42,ec,54,9b,38,36,2a,3b,2f,0e,ae

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-28 08:26:31
ComboFix-quarantined-files.txt 2011-01-28 14:26

Pre-Run: 31,762,489,344 bytes free
Post-Run: 31,709,548,544 bytes free

- - End Of File - - B8766E4F50F4A6F85A697AF3AB77FA3F

Edited by Will TX, 28 January 2011 - 09:36 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:29 PM

Posted 28 January 2011 - 12:46 PM

Hello,

Yes, it is infected, as well as another critical file. So let's fix that.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FCOPY::
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe | c:\windows\explorer.exe
c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe | c:\windows\System32\wininit.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Will TX

Will TX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 28 January 2011 - 04:23 PM

Ok... I forgot to mention I cannot see any icons on my desktop either. We'll have to get innovative to open that script with ocmbofix lol

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:29 PM

Posted 28 January 2011 - 04:34 PM

Okay :) See what this does.....simply update to SP1. then try to run ComboFix.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Will TX

Will TX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 28 January 2011 - 05:04 PM

I ended up being able to run the script. It never asked to reboot... I have always had problems updating to SP1, I don't know what the deal is but I have found that other people have the same problem with updating to it. Combofixed finished doing its thing and there is still no change. When it did finished I got the following error message:
explorer.exe - Ordinal Not Found
The ordinal 874 could no be located in the dynamic link library SHELL32.dll

BUT now when I try to manually open explorer.exe with the task manager it only tells me explorer has stopped working

And then the new combofix log when I used to script:

ComboFix 11-01-27.05 - Joe Ligon 01/28/2011 15:31:29.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.441 [GMT -6:00]
Running from: c:\users\Joe Ligon\Desktop\ComboFix.exe
Command switches used :: c:\users\Joe Ligon\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Joe Ligon\AppData\Local\Temp\{AC93F461-132C-4A10-983D-7DAFE2917D67}\_ISRES.DLL
c:\users\Joe Ligon\AppData\Local\Temp\{AC93F461-132C-4A10-983D-7DAFE2917D67}\ISRT.DLL
c:\users\Joe Ligon\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IDriver.NonElevated.exe
c:\users\Joe Ligon\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\iGdiCnv.dll
c:\users\Joe Ligon\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IScrCnv.dll
c:\users\Joe Ligon\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IUserCnv.dll
c:\users\JOELIG~1\AppData\Local\Temp\{AC93F461-132C-4A10-983D-7DAFE2917D67}\_ISRES.DLL
c:\users\JOELIG~1\AppData\Local\Temp\{AC93F461-132C-4A10-983D-7DAFE2917D67}\ISRT.DLL
c:\users\JOELIG~1\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IDriver.NonElevated.exe
c:\users\JOELIG~1\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\iGdiCnv.dll
c:\users\JOELIG~1\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IScrCnv.dll
c:\users\JOELIG~1\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IUserCnv.dll

.
--------------- FCopy ---------------

c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe --> c:\windows\explorer.exe
c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe --> c:\windows\System32\wininit.exe
.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-28 21:45 . 2011-01-28 21:45 -------- d-----w- c:\users\Joe Ligon\AppData\Local\temp
2011-01-28 21:45 . 2011-01-28 21:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-26 23:46 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E09F7183-D070-4E7A-A42E-CB26657DE6A0}\mpengine.dll
2011-01-23 20:22 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-23 20:22 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-23 20:22 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-23 02:01 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-23 02:01 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-23 02:01 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-23 02:01 . 2011-01-13 08:37 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-23 02:00 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-23 02:00 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-20 12:29 . 2009-07-14 12:12 16896 ----a-w- c:\windows\system32\winusb.dll
2011-01-20 12:29 . 2009-07-14 12:12 34944 ----a-w- c:\windows\system32\drivers\winusb.sys
2011-01-20 12:20 . 2009-07-14 01:19 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-01-20 12:20 . 2009-07-14 01:19 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-01-16 03:23 . 2011-01-16 03:23 -------- d-----w- c:\users\Joe Ligon\RsCache1
2011-01-15 23:18 . 2011-01-15 23:19 -------- d-----w- C:\relentless-scape2
2011-01-15 03:06 . 2011-01-15 03:06 -------- d-----w- C:\.562_cache_32v4
2011-01-15 02:52 . 2011-01-15 02:52 -------- d-----w- C:\cache525
2011-01-14 22:55 . 2006-11-02 09:46 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
2011-01-10 20:58 . 2011-01-11 01:50 -------- d-----w- C:\29537aa5d3885ad4a149
2011-01-09 19:11 . 2011-01-09 19:11 -------- d-----w- c:\program files\uTorrent
2011-01-03 23:32 . 2011-01-03 23:32 352256 ----a-w- c:\windows\msvcr71.dll
2010-12-31 01:55 . 2010-12-31 01:55 -------- d-----w- c:\users\Joe Ligon\AppData\Local\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-19 03:08 . 2010-12-19 03:08 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-14 03:37 . 2010-12-14 03:38 716800 ----a-w- c:\windows\iun6002.exe
2010-12-13 00:19 . 2010-12-13 00:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:42 . 2010-12-11 21:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-12-11 21:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-17 16:34 . 2010-12-18 15:05 851176 ----a-w- c:\windows\system32\winusbcoinstaller2.dll
2010-11-17 16:34 . 2010-12-18 15:05 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-07 886784]
"Google Update"="c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-16 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-10 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Tether.lnk - c:\program files\Tether\Tether.exe [2010-12-18 828344]
w98Eject.lnk - c:\windows\System\w98eject.exe [2007-11-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1971379169-3407567061-680115831-1000]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1971379169-3407567061-680115831-500]
"EnableNotificationsRef"=dword:00000002

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 136176]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-29 38224]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2010-09-02 13312]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
R3 qrkis;Tether Miniport;c:\windows\system32\DRIVERS\qrkis.sys [2009-07-31 45608]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-19 717296]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-06 43792]
S1 aswSP;aswSP; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-02-28 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-02-28 108552]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-12-01 136192]
S2 Tether;Tether;c:\program files\Tether\TBService.exe [2010-11-18 52664]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb98d3461a7309.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 12:25]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1971379169-3407567061-680115831-1000Core.job
- c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-16 18:53]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1971379169-3407567061-680115831-1000UA.job
- c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-16 18:53]

2011-01-28 c:\windows\Tasks\User_Feed_Synchronization-{0AAEA149-75EA-46A6-8B42-C2ECC838D8D9}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8715
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\users\Joe Ligon\Will's Documents\Downloads\Programs\Flash Get\jc_all.htm
IE: &Download with FlashGet - c:\users\Joe Ligon\Will's Documents\Downloads\Programs\Flash Get\jc_link.htm
TCP: {216E0613-9824-4247-BC8D-F836F36B5738} = 204.94.234.10,204.94.234.5
TCP: {8583DC82-BCE2-4B4C-91D0-1C08D78B1144} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Joe Ligon\AppData\Roaming\Mozilla\Firefox\Profiles\3s5z8kuw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Unhide Passwords: {2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0} - %profile%\extensions\{2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0}
FF - Ext: ConfigurationMania?: {c4d362ec-1cff-4ca0-9031-99a8fad7995a} - %profile%\extensions\{c4d362ec-1cff-4ca0-9031-99a8fad7995a}
FF - Ext: AnyColor: anycolor.pavlos256@gmail.com - %profile%\extensions\anycolor.pavlos256@gmail.com
FF - Ext: ShadGlo Library Toolbar: {0a6525b8-7c08-451e-b443-970c9bc2f246} - %profile%\extensions\{0a6525b8-7c08-451e-b443-970c9bc2f246}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: Add to Search Bar: add-to-searchbox@maltekraus.de - %profile%\extensions\add-to-searchbox@maltekraus.de
FF - Ext: Auto Save Document: {CADFF07D-A9E4-42f7-BC89-77A435BFE9E4} - %profile%\extensions\{CADFF07D-A9E4-42f7-BC89-77A435BFE9E4}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Exif Viewer: exif_viewer@mozilla.doslash.org - %profile%\extensions\exif_viewer@mozilla.doslash.org
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: KeepTube Downloader: webmaster@keep-tube.com - %profile%\extensions\webmaster@keep-tube.com
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 15:45
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1971379169-3407567061-680115831-1000\Software\SecuROM\License information*]
"datasecu"=hex:8b,b9,f3,97,1d,bd,d1,12,1a,13,5f,9c,e8,62,3e,10,98,22,61,b9,0e,
53,83,ff,7a,4c,33,e9,9a,2a,70,7b,a9,57,82,c6,08,c0,30,74,be,78,d9,7f,a3,e7,\
"rkeysecu"=hex:82,f8,18,a4,eb,42,ec,54,9b,38,36,2a,3b,2f,0e,ae

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-28 15:50:58
ComboFix-quarantined-files.txt 2011-01-28 21:50
ComboFix2.txt 2011-01-28 14:26

Pre-Run: 30,011,252,736 bytes free
Post-Run: 30,075,232,256 bytes free

- - End Of File - - 574E68222BDA224A3729E32440B35A50






EDIT: I forgot to disable my avast antivirus while running combofix this time.

Edited by Will TX, 28 January 2011 - 05:34 PM.


#8 Will TX

Will TX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 29 January 2011 - 02:02 PM

teacup61, if you could please help me try and resolve this today that would be much appreciated. I'll be around all day and I get the instant email alerts on my phone.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:29 PM

Posted 29 January 2011 - 03:40 PM

Let's try this one then :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FCOPY::
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe | c:\windows\explorer.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Will TX

Will TX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 29 January 2011 - 04:13 PM

That seemed to work perfectly! :D
My desktop and whatnot seems normal now.

ComboFix 11-01-27.05 - Joe Ligon 01/29/2011 14:51:00.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.443 [GMT -6:00]
Running from: c:\users\Joe Ligon\Desktop\ComboFix.exe
Command switches used :: c:\users\Joe Ligon\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))
.

2011-01-29 21:04 . 2011-01-29 21:04 -------- d-----w- c:\users\Joe Ligon\AppData\Local\temp
2011-01-29 21:04 . 2011-01-29 21:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-29 13:33 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FA98077D-1307-4E20-B47E-AD93768621B4}\mpengine.dll
2011-01-23 20:22 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-23 20:22 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-23 20:22 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-23 02:01 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-23 02:01 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-23 02:01 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-23 02:01 . 2011-01-13 08:37 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-23 02:00 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-23 02:00 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-20 12:29 . 2009-07-14 12:12 16896 ----a-w- c:\windows\system32\winusb.dll
2011-01-20 12:29 . 2009-07-14 12:12 34944 ----a-w- c:\windows\system32\drivers\winusb.sys
2011-01-20 12:20 . 2009-07-14 01:19 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-01-20 12:20 . 2009-07-14 01:19 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-01-16 03:23 . 2011-01-16 03:23 -------- d-----w- c:\users\Joe Ligon\RsCache1
2011-01-15 23:18 . 2011-01-15 23:19 -------- d-----w- C:\relentless-scape2
2011-01-15 03:06 . 2011-01-15 03:06 -------- d-----w- C:\.562_cache_32v4
2011-01-15 02:52 . 2011-01-15 02:52 -------- d-----w- C:\cache525
2011-01-14 22:55 . 2006-11-02 09:46 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
2011-01-10 20:58 . 2011-01-11 01:50 -------- d-----w- C:\29537aa5d3885ad4a149
2011-01-09 19:11 . 2011-01-09 19:11 -------- d-----w- c:\program files\uTorrent
2011-01-03 23:32 . 2011-01-03 23:32 352256 ----a-w- c:\windows\msvcr71.dll
2010-12-31 01:55 . 2010-12-31 01:55 -------- d-----w- c:\users\Joe Ligon\AppData\Local\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-19 03:08 . 2010-12-19 03:08 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-14 03:37 . 2010-12-14 03:38 716800 ----a-w- c:\windows\iun6002.exe
2010-12-13 00:19 . 2010-12-13 00:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:42 . 2010-12-11 21:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-12-11 21:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-17 16:34 . 2010-12-18 15:05 851176 ----a-w- c:\windows\system32\winusbcoinstaller2.dll
2010-11-17 16:34 . 2010-12-18 15:05 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-07 886784]
"Google Update"="c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-16 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-10 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Tether.lnk - c:\program files\Tether\Tether.exe [2010-12-18 828344]
w98Eject.lnk - c:\windows\System\w98eject.exe [2007-11-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1971379169-3407567061-680115831-1000]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1971379169-3407567061-680115831-500]
"EnableNotificationsRef"=dword:00000002

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 136176]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-29 38224]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2010-09-02 13312]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
R3 qrkis;Tether Miniport;c:\windows\system32\DRIVERS\qrkis.sys [2009-07-31 45608]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-19 717296]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-06 43792]
S1 aswSP;aswSP; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-02-28 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-02-28 108552]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-12-01 136192]
S2 Tether;Tether;c:\program files\Tether\TBService.exe [2010-11-18 52664]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb98d3461a7309.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 12:25]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1971379169-3407567061-680115831-1000Core.job
- c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-16 18:53]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1971379169-3407567061-680115831-1000UA.job
- c:\users\Joe Ligon\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-16 18:53]

2011-01-29 c:\windows\Tasks\User_Feed_Synchronization-{0AAEA149-75EA-46A6-8B42-C2ECC838D8D9}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX8715
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\users\Joe Ligon\Will's Documents\Downloads\Programs\Flash Get\jc_all.htm
IE: &Download with FlashGet - c:\users\Joe Ligon\Will's Documents\Downloads\Programs\Flash Get\jc_link.htm
TCP: {216E0613-9824-4247-BC8D-F836F36B5738} = 204.94.234.10,204.94.234.5
TCP: {8583DC82-BCE2-4B4C-91D0-1C08D78B1144} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Joe Ligon\AppData\Roaming\Mozilla\Firefox\Profiles\3s5z8kuw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: network.proxy.type - 0
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Unhide Passwords: {2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0} - %profile%\extensions\{2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0}
FF - Ext: ConfigurationMania?: {c4d362ec-1cff-4ca0-9031-99a8fad7995a} - %profile%\extensions\{c4d362ec-1cff-4ca0-9031-99a8fad7995a}
FF - Ext: AnyColor: anycolor.pavlos256@gmail.com - %profile%\extensions\anycolor.pavlos256@gmail.com
FF - Ext: ShadGlo Library Toolbar: {0a6525b8-7c08-451e-b443-970c9bc2f246} - %profile%\extensions\{0a6525b8-7c08-451e-b443-970c9bc2f246}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: Add to Search Bar: add-to-searchbox@maltekraus.de - %profile%\extensions\add-to-searchbox@maltekraus.de
FF - Ext: Auto Save Document: {CADFF07D-A9E4-42f7-BC89-77A435BFE9E4} - %profile%\extensions\{CADFF07D-A9E4-42f7-BC89-77A435BFE9E4}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Exif Viewer: exif_viewer@mozilla.doslash.org - %profile%\extensions\exif_viewer@mozilla.doslash.org
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: KeepTube Downloader: webmaster@keep-tube.com - %profile%\extensions\webmaster@keep-tube.com
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-29 15:04
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1971379169-3407567061-680115831-1000\Software\SecuROM\License information*]
"datasecu"=hex:8b,b9,f3,97,1d,bd,d1,12,1a,13,5f,9c,e8,62,3e,10,98,22,61,b9,0e,
53,83,ff,7a,4c,33,e9,9a,2a,70,7b,a9,57,82,c6,08,c0,30,74,be,78,d9,7f,a3,e7,\
"rkeysecu"=hex:82,f8,18,a4,eb,42,ec,54,9b,38,36,2a,3b,2f,0e,ae

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-29 15:08:52
ComboFix-quarantined-files.txt 2011-01-29 21:08
ComboFix2.txt 2011-01-28 21:50
ComboFix3.txt 2011-01-28 14:26

Pre-Run: 31,806,885,888 bytes free
Post-Run: 31,821,213,696 bytes free

- - End Of File - - C387DA5EA78DAAD4F53422E9B45109E2

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:29 PM

Posted 29 January 2011 - 06:15 PM

Well the log certainly looks better. :thumbup2:

Have a quick scan with MBAM and see if it comes up clean. Please post the report if it shows anything. Is everything else back to normal?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Will TX

Will TX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 29 January 2011 - 06:51 PM

As far as I can tell things are better.
When I try to install MBAM (I've done it twice) I get the following error:

mbam.exe - unable to locate component
This application has failed to start because MSVBVM60.DLL was not found. Re-installing the application may fix this problem.

This never happened before when I tried MBAM about a month ago...
I'll go ahead and do a scan with Avast though and see what comes up.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:29 PM

Posted 29 January 2011 - 06:58 PM

Hi,

If you're going to go with Avast!, then you should see about getting rid of all that avg and McAfee stuff.....blech. <_< Both of those have removal tools on their sites if you need them. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Will TX

Will TX
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 29 January 2011 - 07:17 PM

Avast found nothing :D
I've tried to uninstall avg and mcafee but could never get totally rid of them... So i'm in the process of running the respective removal tools

Do you know how I could double check after using the tools to see of those two are really gone?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:29 PM

Posted 29 January 2011 - 07:20 PM

Yes, a DDS log will tell you. If you'd like for me to check I'll be glad to. If you look at the first one you posted you can see files/folders for both listed throughout. :wink:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users