Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus : Bamital.K & Bamital.J


  • This topic is locked This topic is locked
25 replies to this topic

#1 Jay-C

Jay-C

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 17 February 2011 - 11:04 AM

hello,

My PC has developed a redirect virus problem. I have tried the following simple remedies to no avail:

1.) Updated MBam to latest version as of today (version 5783)
2.) Updated Spybot S&D to latest version as of 02/17/11 at 9:32am CST
3.) Reboot PC in safe mode and run RKill.
4.) Full scan with MBam - Nothing found.
5.) Full scan with Spybot S&D - Nothing found.
6.) Ran Microsoft Security Essentials (not in safe mode), Found 4 problems:
Virus:Win32/Bamital.K
Virus:Win32/Bamital.K
Trojan:Win32/Bamital

my apologies, I posted without finishing.

the 4th problem Microsoft Security Essentials found:
Trojan:Win32/Bamital.J

I allowed Security Essentials to do the recommended cleanup, however when it rebooted, it could not do so and recommended I do a system restore. I allowed it to do so.

I have done the recommended Preparation procedure from BleepingComputer and here are the logs requested:


DDS (Ver_10-12-12.02) - NTFSx86
Run by J C Markell at 9:11:29.88 on Thu 02/17/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2029.1254 [GMT -6:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Software602\Print2PDF\Print2PDF.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\ehome\ehRecvr.exe
C:\Users\J C Markell\AppData\Roaming\mjusbsp\magicJack.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\J C Markell\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.babylon.com/home?AF=15000
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
uURLSearchHooks: Babylon-English Toolbar: {ce18769b-c7fa-42d2-860d-17c4662c70ad} - c:\program files\babylon-english\tbBaby.dll
mURLSearchHooks: Babylon-English Toolbar: {ce18769b-c7fa-42d2-860d-17c4662c70ad} - c:\program files\babylon-english\tbBaby.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Babylon-English Toolbar: {ce18769b-c7fa-42d2-860d-17c4662c70ad} - c:\program files\babylon-english\tbBaby.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Babylon-English Toolbar: {ce18769b-c7fa-42d2-860d-17c4662c70ad} - c:\program files\babylon-english\tbBaby.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [cdloader] "c:\users\j c markell\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [FormAutoFill] c:\program files\formautofill\faf.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [CCUTRAYICON] FactoryMode
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [BigFix] c:\program files\bigfix\bigfix.exe /atstartup
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Print2PDF Print Monitor] "c:\program files\software602\print2pdf\Print2PDF.exe" /server
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
StartupFolder: c:\users\jcmark~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\users\jcmark~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - {E4ABF418-CB30-470C-BFF7-674AC0FC564F} - c:\program files\software602\print2pdf\Print602.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\jcmark~1\appdata\roaming\mozilla\firefox\profiles\bss31gje.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\google\google updater\2.2.1273.1045\npCIDetect12.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\users\j c markell\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 pe3ah4nb;DiRT Environment Driver (pe3ah4nb);c:\windows\system32\drivers\pe3ah4nb.sys [2007-7-19 64616]
R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);c:\windows\system32\drivers\pe3ah4nc.sys [2007-5-18 64880]
R0 ps6ah4nb;DiRT Synchronization Driver (ps6ah4nb);c:\windows\system32\drivers\ps6ah4nb.sys [2007-7-31 68224]
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);c:\windows\system32\drivers\ps6ah4nc.sys [2007-5-22 55168]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2006-7-11 42392]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-6-24 21504]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-2 374152]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-10-1 47640]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2007-2-18 5376]
R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2010-3-16 55016]
R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD.sys [2007-6-5 401408]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-6-5 5504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-24 135664]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2007-4-6 36312]
S2 pr2ah4nb;DiRT Drivers Auto Removal (pr2ah4nb);c:\windows\system32\pr2ah4nb.exe svc --> c:\windows\system32\pr2ah4nb.exe svc [?]
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);c:\windows\system32\pr2ah4nc.exe svc --> c:\windows\system32\pr2ah4nc.exe svc [?]
S3 DHTRACE;Intel® DHTrace Controller;c:\program files\common files\intel\inteldh\bin\DHTraceController.exe [2007-4-6 39896]
S3 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2007-2-12 208896]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2007-4-6 158168]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 NMSCore;Intel® NMSCore;c:\program files\common files\intel\inteldh\nms\nmscore\NMSCore.exe [2007-4-6 313816]
S3 QualityManager;Intel® Quality Manager;c:\program files\intel\inteldh\intel media server\media server\bin\QualityManager.exe [2007-4-6 272856]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2007-12-26 288768]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-02-17 15:03:04 -------- d-----w- c:\program files\Conduit
2011-02-17 15:03:02 -------- d-----w- c:\program files\Babylon-English
2011-02-17 15:03:01 -------- d-----w- c:\program files\Babylon
2011-02-17 13:09:40 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{2575f07e-6644-4f71-9450-f84c668368c1}\mpengine.dll
2011-02-15 16:25:19 -------- d-----w- c:\progra~2\gPgGkKf09000
2011-02-14 20:07:51 -------- d-----w- c:\progra~2\NVIDIA Corporation
2011-02-14 20:07:42 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-10 21:08:15 -------- d-----w- C:\e1e74427d58f4208e6ea
2011-02-08 16:08:37 -------- d-----w- C:\ea3921d35ee011167bba99
2011-02-08 15:40:28 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-08 15:39:03 -------- d-----w- C:\eb449fca9fe1e593466462d1

==================== Find3M ====================

2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-11-29 00:26:48 695901 ----a-w- c:\windows\system32\unins000.exe

============= FINISH: 9:12:34.21 ===============

Hi,

One other thing: When I ran DeFogger as recommended in your prep guide, it did NOT ask me to reboot (I am assuming that means there is no emulation software on my PC?)

Thanks, my apologies for the multiple postings.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 17 February 2011 - 04:39 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:34 AM

Posted 20 February 2011 - 12:30 PM

Hello Jay-C ,

Posted Image


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to JayC.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Jay-C

Jay-C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 20 February 2011 - 03:27 PM

Tea,

Thanks for your help. I did a "control + alt + delete" to check for any anti-spyware programs and I believe I turned off Windows Defender. I didn't see any others. Ran ComboFix and generated log. However, after ComboFix did its' reboot of the system, nothing would work. By that I mean Windows came up fine and my desktop was there, but anything you clicked on would get a pop up that said "illegal operation attempted on a registry key that has been marked for deletion.". I could access windows control center, but when I attempted to do a system restore from there... it did nothing (almost like it didn't recognize my click). So I rebooted and tapped F8 during bootup and did a system restore from there. Restore successful and that is where it is now. Here is the ComboFix Log: (fyi- all that stuff in the "file replicators" of the log about "c:\setup\70XX-some language\setup.exe" is the software program for my Brother Printer and can be removed if need be.)

Thanks again for your help!
J.C.

ComboFix 11-02-19.02 - J C Markell 02/20/2011 11:44:28.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2029.1103 [GMT -6:00]
Running from: c:\users\J C Markell\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\programdata\Windows
c:\users\J C Markell\g2ax_customer_downloadhelper_win32_x86.exe
c:\users\J C Markell\g2mdlhlpx.exe
c:\windows\system32\arp.exe
D:\Autorun.inf

----- File Replicators -----

c:\downloads\Setup7010\CanFre\Setup.exe
c:\downloads\Setup7010\Chn\Setup.exe
c:\downloads\Setup7010\Dan\Setup.exe
c:\downloads\Setup7010\Dut\Setup.exe
c:\downloads\Setup7010\Eng\Setup.exe
c:\downloads\Setup7010\Fre\Setup.exe
c:\downloads\Setup7010\Ger\Setup.exe
c:\downloads\Setup7010\Ita\Setup.exe
c:\downloads\Setup7010\Nor\Setup.exe
c:\downloads\Setup7010\Por\Setup.exe
c:\downloads\Setup7010\Rus\Setup.exe
c:\downloads\Setup7010\Spa\Setup.exe
c:\downloads\Setup7010\Swe\Setup.exe
c:\downloads\Setup7010\Usa\Setup.exe
c:\downloads\Setup7020\CanFre\Setup.exe
c:\downloads\Setup7020\Chn\Setup.exe
c:\downloads\Setup7020\Usa\Setup.exe
c:\downloads\Setup7025\CanFre\Setup.exe
c:\downloads\Setup7025\Chn\Setup.exe
c:\downloads\Setup7025\Dan\Setup.exe
c:\downloads\Setup7025\Dut\Setup.exe
c:\downloads\Setup7025\Eng\Setup.exe
c:\downloads\Setup7025\Fre\Setup.exe
c:\downloads\Setup7025\Ger\Setup.exe
c:\downloads\Setup7025\Ita\Setup.exe
c:\downloads\Setup7025\Nor\Setup.exe
c:\downloads\Setup7025\Por\Setup.exe
c:\downloads\Setup7025\Rus\Setup.exe
c:\downloads\Setup7025\Spa\Setup.exe
c:\downloads\Setup7025\Swe\Setup.exe
c:\downloads\Setup7025\Usa\Setup.exe
c:\downloads\Setup7220\CanFre\Setup.exe
c:\downloads\Setup7220\Chn\Setup.exe
c:\downloads\Setup7220\Dan\Setup.exe
c:\downloads\Setup7220\Dut\Setup.exe
c:\downloads\Setup7220\Eng\Setup.exe
c:\downloads\Setup7220\Fre\Setup.exe
c:\downloads\Setup7220\Ger\Setup.exe
c:\downloads\Setup7220\Ita\Setup.exe
c:\downloads\Setup7220\Nor\Setup.exe
c:\downloads\Setup7220\Por\Setup.exe
c:\downloads\Setup7220\Rus\Setup.exe
c:\downloads\Setup7220\Spa\Setup.exe
c:\downloads\Setup7220\Swe\Setup.exe
c:\downloads\Setup7220\Usa\Setup.exe
c:\downloads\Setup7225N\CanFre\Setup.exe
c:\downloads\Setup7225N\Chn\Setup.exe
c:\downloads\Setup7225N\Dan\Setup.exe
c:\downloads\Setup7225N\Dut\Setup.exe
c:\downloads\Setup7225N\Eng\Setup.exe
c:\downloads\Setup7225N\Fre\Setup.exe
c:\downloads\Setup7225N\Ger\Setup.exe
c:\downloads\Setup7225N\Ita\Setup.exe
c:\downloads\Setup7225N\Nor\Setup.exe
c:\downloads\Setup7225N\Por\Setup.exe
c:\downloads\Setup7225N\Rus\Setup.exe
c:\downloads\Setup7225N\Spa\Setup.exe
c:\downloads\Setup7225N\Swe\Setup.exe
c:\downloads\Setup7225N\Usa\Setup.exe
c:\downloads\Setup7420\CanFre\Setup.exe
c:\downloads\Setup7420\Chn\Setup.exe
c:\downloads\Setup7420\Dan\Setup.exe
c:\downloads\Setup7420\Dut\Setup.exe
c:\downloads\Setup7420\Eng\Setup.exe
c:\downloads\Setup7420\Fre\Setup.exe
c:\downloads\Setup7420\Ger\Setup.exe
c:\downloads\Setup7420\Ita\Setup.exe
c:\downloads\Setup7420\Nor\Setup.exe
c:\downloads\Setup7420\Por\Setup.exe
c:\downloads\Setup7420\Rus\Setup.exe
c:\downloads\Setup7420\Spa\Setup.exe
c:\downloads\Setup7420\Swe\Setup.exe
c:\downloads\Setup7420\Usa\Setup.exe
c:\downloads\Setup7820N\CanFre\Setup.exe
c:\downloads\Setup7820N\Chn\Setup.exe
c:\downloads\Setup7820N\Dan\Setup.exe
c:\downloads\Setup7820N\Dut\Setup.exe
c:\downloads\Setup7820N\Eng\Setup.exe
c:\downloads\Setup7820N\Fre\Setup.exe
c:\downloads\Setup7820N\Ger\Setup.exe
c:\downloads\Setup7820N\Ita\Setup.exe
c:\downloads\Setup7820N\Nor\Setup.exe
c:\downloads\Setup7820N\Por\Setup.exe
c:\downloads\Setup7820N\Rus\Setup.exe
c:\downloads\Setup7820N\Spa\Setup.exe
c:\downloads\Setup7820N\Swe\Setup.exe
c:\downloads\Setup7820N\Usa\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\CanFre\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Chn\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Dan\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Dut\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Eng\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Fre\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Ger\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Ita\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Nor\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Por\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Rus\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Spa\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Swe\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Usa\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\CanFre\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Chn\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Dan\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Dut\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Eng\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Fre\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Ger\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Ita\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Nor\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Por\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Rus\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Spa\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Swe\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Usa\Setup.exe
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
.

2011-02-20 17:53 . 2011-02-20 17:53 -------- d-----w- c:\users\J C Markell\AppData\Local\temp
2011-02-20 17:53 . 2011-02-20 17:53 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-02-20 17:53 . 2011-02-20 17:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-20 17:53 . 2011-02-20 17:53 -------- d-----w- c:\users\dave\AppData\Local\temp
2011-02-18 14:04 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{406E4CDB-7FAF-41D3-AD6A-383C8D36AC4C}\mpengine.dll
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Conduit
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon-English
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon
2011-02-15 16:25 . 2011-02-17 13:03 -------- d-----w- c:\programdata\gPgGkKf09000
2011-02-14 20:07 . 2011-02-14 20:07 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-02-14 20:07 . 2011-02-14 20:08 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-10 21:08 . 2011-02-10 23:34 -------- d-----w- C:\e1e74427d58f4208e6ea
2011-02-08 16:08 . 2011-02-08 18:24 -------- d-----w- C:\ea3921d35ee011167bba99
2011-02-08 15:40 . 2011-02-16 16:35 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-08 15:39 . 2011-02-08 17:54 -------- d-----w- C:\eb449fca9fe1e593466462d1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-28 15:55 . 2011-01-12 09:28 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-21 00:09 . 2010-06-25 20:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-06-25 20:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:49 . 2011-01-12 09:28 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-11-29 00:26 . 2010-11-29 00:26 695901 ----a-w- c:\windows\system32\unins000.exe
.

------- Sigcheck -------

[-] 2009-04-11 06:27 . 10829FCDE2D0532C7F388C5E572DBFBC . 2926592 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[-] 2008-10-30 . 54C5430E70FECF8C26CDCBCDE216EF94 . 2927616 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-01-19 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[7] 2007-11-15 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2007-11-15 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[7] 2006-11-02 . FD8C53FB002217F6F888BCF6F5D7084D . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[-] 2008-01-19 . 7A28767CEF683FE01195AE83D8655BC8 . 96768 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2008-01-19 . 101BA3EA053480BB5D957EF37C06B5ED . 96768 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[7] 2006-11-02 . D4385B03E8CCCEE6F0EE249F827C1F3E . 95744 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
2010-06-14 01:10 2734688 ----a-w- c:\program files\Babylon-English\tbBaby.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"cdloader"="c:\users\J C Markell\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-02 68856]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-08-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-04-06 439768]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]

c:\users\J C Markell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2010-3-3 141488]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 135664]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2007-04-06 36312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R2 pr2ah4nb;DiRT Drivers Auto Removal (pr2ah4nb);c:\windows\system32\pr2ah4nb.exe svc [x]
R2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);c:\windows\system32\pr2ah4nc.exe svc [x]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-04-06 39896]
R3 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
R3 klmd24;klmd24;c:\windows\system32\drivers\klmd.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NMSCore;Intel® NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [2007-04-06 313816]
R3 QualityManager;Intel® Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [2007-04-06 272856]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 pe3ah4nb;DiRT Environment Driver (pe3ah4nb);c:\windows\system32\drivers\pe3ah4nb.sys [2007-07-19 64616]
S0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);c:\windows\system32\drivers\pe3ah4nc.sys [2007-05-18 64880]
S0 ps6ah4nb;DiRT Synchronization Driver (ps6ah4nb);c:\windows\system32\drivers\ps6ah4nb.sys [2007-07-31 68224]
S0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);c:\windows\system32\drivers\ps6ah4nc.sys [2007-05-22 55168]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2006-07-11 42392]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-09-27 374152]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-19 5376]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2010-03-16 55016]
S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD.sys [2007-04-09 401408]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-06-05 5504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-02 20:01]

2011-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]

2011-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\J C Markell\AppData\Roaming\Mozilla\Firefox\Profiles\bss31gje.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FormAutoFill - c:\program files\FormAutoFill\faf.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
SafeBoot-klmd24.sys
AddRemove-{D8768524-DE8D-40D3-904B-B1FCC31CF9F9} - c:\program files\InstallShield Installation Information\{D8768524-DE8D-40D3-904B-B1FCC31CF9F9}\setup.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\ehome\ehsched.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Digsby\lib\digsby-app.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-02-20 12:03:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-20 18:02

Pre-Run: 230,476,398,592 bytes free
Post-Run: 273,292,541,952 bytes free

- - End Of File - - 1A01601B69A6FEB772A8915D597B0E90

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:34 AM

Posted 20 February 2011 - 03:30 PM

You seem fond of system restore. <_< Now please have a run with ComboFix without doing a system restore anywhere along the line. Please post the report in your reply. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Jay-C

Jay-C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 20 February 2011 - 07:46 PM

Teacup,

You may have misunderstood my previous post, the use of system restore is not due to fondness, but rather, necessity. The first ComboFix report I sent you was fully executed, and the log file created, BEFORE the system restore was done. I only have 1 PC and after running ComboFix (it seemed to run fine all the way through) it left my machine completely useless. Unable open a text file, video, picture, IE, Firefox, no program or file of any kind! Just kept saying "illegal operation attempted on a registry key that has been marked for deletion".

However, I very much appreciate your help and am fully aware that "I don't know what I don't know". So, I have re-run ComboFix, and when it finished, I saved the log file to an external drive. After ComboFix closed, I attempted to open Firefox to post the log and... same thing. My PC will not run any programs or open any files. "The lights are on, but nobody is home". I left it and went to my Dad's to use his computer which is how I am writing this to you. Here is the log:


ComboFix 11-02-20.01 - J C Markell 02/20/2011 17:53:15.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2029.1159 [GMT -6:00]
Running from: c:\users\J C Markell\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\users\J C Markell\g2ax_customer_downloadhelper_win32_x86.exe
c:\users\J C Markell\g2mdlhlpx.exe
c:\windows\system32\arp.exe

----- File Replicators -----

c:\downloads\Setup7010\CanFre\Setup.exe
c:\downloads\Setup7010\Chn\Setup.exe
c:\downloads\Setup7010\Dan\Setup.exe
c:\downloads\Setup7010\Dut\Setup.exe
c:\downloads\Setup7010\Eng\Setup.exe
c:\downloads\Setup7010\Fre\Setup.exe
c:\downloads\Setup7010\Ger\Setup.exe
c:\downloads\Setup7010\Ita\Setup.exe
c:\downloads\Setup7010\Nor\Setup.exe
c:\downloads\Setup7010\Por\Setup.exe
c:\downloads\Setup7010\Rus\Setup.exe
c:\downloads\Setup7010\Spa\Setup.exe
c:\downloads\Setup7010\Swe\Setup.exe
c:\downloads\Setup7010\Usa\Setup.exe
c:\downloads\Setup7020\CanFre\Setup.exe
c:\downloads\Setup7020\Chn\Setup.exe
c:\downloads\Setup7020\Usa\Setup.exe
c:\downloads\Setup7025\CanFre\Setup.exe
c:\downloads\Setup7025\Chn\Setup.exe
c:\downloads\Setup7025\Dan\Setup.exe
c:\downloads\Setup7025\Dut\Setup.exe
c:\downloads\Setup7025\Eng\Setup.exe
c:\downloads\Setup7025\Fre\Setup.exe
c:\downloads\Setup7025\Ger\Setup.exe
c:\downloads\Setup7025\Ita\Setup.exe
c:\downloads\Setup7025\Nor\Setup.exe
c:\downloads\Setup7025\Por\Setup.exe
c:\downloads\Setup7025\Rus\Setup.exe
c:\downloads\Setup7025\Spa\Setup.exe
c:\downloads\Setup7025\Swe\Setup.exe
c:\downloads\Setup7025\Usa\Setup.exe
c:\downloads\Setup7220\CanFre\Setup.exe
c:\downloads\Setup7220\Chn\Setup.exe
c:\downloads\Setup7220\Dan\Setup.exe
c:\downloads\Setup7220\Dut\Setup.exe
c:\downloads\Setup7220\Eng\Setup.exe
c:\downloads\Setup7220\Fre\Setup.exe
c:\downloads\Setup7220\Ger\Setup.exe
c:\downloads\Setup7220\Ita\Setup.exe
c:\downloads\Setup7220\Nor\Setup.exe
c:\downloads\Setup7220\Por\Setup.exe
c:\downloads\Setup7220\Rus\Setup.exe
c:\downloads\Setup7220\Spa\Setup.exe
c:\downloads\Setup7220\Swe\Setup.exe
c:\downloads\Setup7220\Usa\Setup.exe
c:\downloads\Setup7225N\CanFre\Setup.exe
c:\downloads\Setup7225N\Chn\Setup.exe
c:\downloads\Setup7225N\Dan\Setup.exe
c:\downloads\Setup7225N\Dut\Setup.exe
c:\downloads\Setup7225N\Eng\Setup.exe
c:\downloads\Setup7225N\Fre\Setup.exe
c:\downloads\Setup7225N\Ger\Setup.exe
c:\downloads\Setup7225N\Ita\Setup.exe
c:\downloads\Setup7225N\Nor\Setup.exe
c:\downloads\Setup7225N\Por\Setup.exe
c:\downloads\Setup7225N\Rus\Setup.exe
c:\downloads\Setup7225N\Spa\Setup.exe
c:\downloads\Setup7225N\Swe\Setup.exe
c:\downloads\Setup7225N\Usa\Setup.exe
c:\downloads\Setup7420\CanFre\Setup.exe
c:\downloads\Setup7420\Chn\Setup.exe
c:\downloads\Setup7420\Dan\Setup.exe
c:\downloads\Setup7420\Dut\Setup.exe
c:\downloads\Setup7420\Eng\Setup.exe
c:\downloads\Setup7420\Fre\Setup.exe
c:\downloads\Setup7420\Ger\Setup.exe
c:\downloads\Setup7420\Ita\Setup.exe
c:\downloads\Setup7420\Nor\Setup.exe
c:\downloads\Setup7420\Por\Setup.exe
c:\downloads\Setup7420\Rus\Setup.exe
c:\downloads\Setup7420\Spa\Setup.exe
c:\downloads\Setup7420\Swe\Setup.exe
c:\downloads\Setup7420\Usa\Setup.exe
c:\downloads\Setup7820N\CanFre\Setup.exe
c:\downloads\Setup7820N\Chn\Setup.exe
c:\downloads\Setup7820N\Dan\Setup.exe
c:\downloads\Setup7820N\Dut\Setup.exe
c:\downloads\Setup7820N\Eng\Setup.exe
c:\downloads\Setup7820N\Fre\Setup.exe
c:\downloads\Setup7820N\Ger\Setup.exe
c:\downloads\Setup7820N\Ita\Setup.exe
c:\downloads\Setup7820N\Nor\Setup.exe
c:\downloads\Setup7820N\Por\Setup.exe
c:\downloads\Setup7820N\Rus\Setup.exe
c:\downloads\Setup7820N\Spa\Setup.exe
c:\downloads\Setup7820N\Swe\Setup.exe
c:\downloads\Setup7820N\Usa\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\CanFre\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Chn\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Dan\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Dut\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Eng\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Fre\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Ger\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Ita\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Nor\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Por\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Rus\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Spa\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Swe\Setup.exe
c:\users\J C Markell\Downloads\Setup7420\Usa\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\CanFre\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Chn\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Dan\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Dut\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Eng\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Fre\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Ger\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Ita\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Nor\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Por\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Rus\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Spa\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Swe\Setup.exe
c:\users\J C Markell\Downloads\Setup7820N\Usa\Setup.exe
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-21 to 2011-02-21 )))))))))))))))))))))))))))))))
.

2011-02-21 00:02 . 2011-02-21 00:05 -------- d-----w- c:\users\J C Markell\AppData\Local\temp
2011-02-21 00:02 . 2011-02-21 00:02 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-02-21 00:02 . 2011-02-21 00:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-21 00:02 . 2011-02-21 00:02 -------- d-----w- c:\users\dave\AppData\Local\temp
2011-02-18 14:04 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{406E4CDB-7FAF-41D3-AD6A-383C8D36AC4C}\mpengine.dll
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Conduit
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon-English
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon
2011-02-15 16:25 . 2011-02-17 13:03 -------- d-----w- c:\programdata\gPgGkKf09000
2011-02-14 20:07 . 2011-02-14 20:07 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-02-14 20:07 . 2011-02-14 20:08 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-10 21:08 . 2011-02-10 23:34 -------- d-----w- C:\e1e74427d58f4208e6ea
2011-02-08 16:08 . 2011-02-08 18:24 -------- d-----w- C:\ea3921d35ee011167bba99
2011-02-08 15:40 . 2011-02-16 16:35 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-08 15:39 . 2011-02-08 17:54 -------- d-----w- C:\eb449fca9fe1e593466462d1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-28 15:55 . 2011-01-12 09:28 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-21 00:09 . 2010-06-25 20:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-06-25 20:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:49 . 2011-01-12 09:28 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-11-29 00:26 . 2010-11-29 00:26 695901 ----a-w- c:\windows\system32\unins000.exe
.

------- Sigcheck -------

[-] 2009-04-11 06:27 . 10829FCDE2D0532C7F388C5E572DBFBC . 2926592 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[-] 2008-10-30 . 54C5430E70FECF8C26CDCBCDE216EF94 . 2927616 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-01-19 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[7] 2007-11-15 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2007-11-15 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[7] 2006-11-02 . FD8C53FB002217F6F888BCF6F5D7084D . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[-] 2008-01-19 . 7A28767CEF683FE01195AE83D8655BC8 . 96768 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2008-01-19 . 101BA3EA053480BB5D957EF37C06B5ED . 96768 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[7] 2006-11-02 . D4385B03E8CCCEE6F0EE249F827C1F3E . 95744 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
2010-06-14 01:10 2734688 ----a-w- c:\program files\Babylon-English\tbBaby.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"cdloader"="c:\users\J C Markell\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-02 68856]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"FormAutoFill"="c:\program files\FormAutoFill\faf.exe" [BU]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-08-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-04-06 439768]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NapsterShell"="c:\program files\Napster\napster.exe" [BU]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [BU]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [BU]

c:\users\J C Markell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2010-3-3 141488]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 135664]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2007-04-06 36312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R2 pr2ah4nb;DiRT Drivers Auto Removal (pr2ah4nb);c:\windows\system32\pr2ah4nb.exe svc [x]
R2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);c:\windows\system32\pr2ah4nc.exe svc [x]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-04-06 39896]
R3 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
R3 klmd24;klmd24;c:\windows\system32\drivers\klmd.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NMSCore;Intel® NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [2007-04-06 313816]
R3 QualityManager;Intel® Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [2007-04-06 272856]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 pe3ah4nb;DiRT Environment Driver (pe3ah4nb);c:\windows\system32\drivers\pe3ah4nb.sys [2007-07-19 64616]
S0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);c:\windows\system32\drivers\pe3ah4nc.sys [2007-05-18 64880]
S0 ps6ah4nb;DiRT Synchronization Driver (ps6ah4nb);c:\windows\system32\drivers\ps6ah4nb.sys [2007-07-31 68224]
S0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);c:\windows\system32\drivers\ps6ah4nc.sys [2007-05-22 55168]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2006-07-11 42392]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-09-27 374152]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-19 5376]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2010-03-16 55016]
S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD.sys [2007-04-09 401408]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-06-05 5504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-02 20:01]

2011-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]

2011-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\J C Markell\AppData\Roaming\Mozilla\Firefox\Profiles\bss31gje.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-20 18:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2011-02-20 18:13:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-21 00:13
ComboFix2.txt 2011-02-20 18:03

Pre-Run: 265,857,585,152 bytes free
Post-Run: 265,727,434,752 bytes free

- - End Of File - - 680A814B7471184452F7568870EC2AE3

#6 Jay-C

Jay-C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 20 February 2011 - 10:37 PM

UPDATE:

Teacup,

Just came back from my Dad's and did a hard shut down and restart. This has solved the "I cannot run or open anything" challenge. PC working as it should. I did a quick Google search and can confirm the redirect virus is still present and accounted for. I will await your next instructions.

Thank You again for your willingness to help!
J.C.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:34 AM

Posted 21 February 2011 - 05:09 PM

Hello,

Good to know. :thumbup2: I see you have MBAM...please be sure it's updated and have a scan with it. Please post the report in your reply.

Also, please let me know how it's running now. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Jay-C

Jay-C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 21 February 2011 - 08:37 PM

Teacup,

The PC is operating normally. The redirect virus is still there and doing its bleeping thing. I did an update and full scan with MBam and it found nothing. Here is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5833

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

2/21/2011 7:32:17 PM
mbam-log-2011-02-21 (19-32-17).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 379576
Time elapsed: 53 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I will await your next instruction. Thank You for your help!

regards,
J.C.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:34 AM

Posted 21 February 2011 - 08:50 PM

Hi there,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

DirLook::
c:\progra~2\gPgGkKf09000
C:\e1e74427d58f4208e6ea
C:\ea3921d35ee011167bba99
C:\eb449fca9fe1e593466462d1


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Jay-C

Jay-C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 22 February 2011 - 10:10 AM

Teacup,

ComboFix found an updated version of itself when I drug the recommended text file into it. I allowed it to do the update. I can also report that the Redirect Virus is still active as of now. :(
Here is the log:

ComboFix 11-02-21.02 - J C Markell 02/22/2011 8:00.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2029.1140 [GMT -6:00]
Running from: c:\users\J C Markell\Desktop\ComboFix.exe
Command switches used :: c:\users\J C Markell\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
.

2011-02-22 14:50 . 2011-02-22 14:50 -------- d-----w- c:\users\J C Markell\AppData\Local\temp
2011-02-22 14:50 . 2011-02-22 14:50 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-02-22 14:50 . 2011-02-22 14:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-22 14:50 . 2011-02-22 14:50 -------- d-----w- c:\users\dave\AppData\Local\temp
2011-02-22 13:54 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A8D1AA89-2683-4824-BCB1-298B56D13022}\mpengine.dll
2011-02-21 20:54 . 2011-02-22 01:43 -------- d-----w- c:\program files\Color Style Studio
2011-02-20 18:03 . 2011-02-20 18:03 -------- d-----w- c:\users\J C Markell\AppData\Local\Temp(5)
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Conduit
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon-English
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon
2011-02-15 16:25 . 2011-02-17 13:03 -------- d-----w- c:\programdata\gPgGkKf09000
2011-02-14 20:07 . 2011-02-14 20:07 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-02-14 20:07 . 2011-02-14 20:08 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-10 21:08 . 2011-02-10 23:34 -------- d-----w- C:\e1e74427d58f4208e6ea
2011-02-08 16:08 . 2011-02-08 18:24 -------- d-----w- C:\ea3921d35ee011167bba99
2011-02-08 15:40 . 2011-02-16 16:35 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-08 15:39 . 2011-02-08 17:54 -------- d-----w- C:\eb449fca9fe1e593466462d1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-28 15:55 . 2011-01-12 09:28 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-21 00:09 . 2010-06-25 20:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-06-25 20:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:49 . 2011-01-12 09:28 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-11-29 00:26 . 2010-11-29 00:26 695901 ----a-w- c:\windows\system32\unins000.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\e1e74427d58f4208e6ea ----

2010-11-30 19:38 . 2010-11-30 19:38 61 ----a-w- c:\e1e74427d58f4208e6ea\setup.ini
2010-11-30 19:35 . 2010-11-30 19:35 31744 ----a-w- c:\e1e74427d58f4208e6ea\en-us\epploc_x86.msi
2010-11-30 19:31 . 2010-11-30 19:31 1666048 ----a-w- c:\e1e74427d58f4208e6ea\x86\epp.msi
2010-11-30 19:20 . 2010-11-30 19:20 42568 ----a-w- c:\e1e74427d58f4208e6ea\setupres.dll
2010-11-30 19:20 . 2010-11-30 19:20 824368 ----a-w- c:\e1e74427d58f4208e6ea\x86\setup.exe
2010-11-30 19:20 . 2010-11-30 19:20 335624 ----a-w- c:\e1e74427d58f4208e6ea\epplauncher.exe
2010-11-30 19:20 . 2010-11-30 19:20 161024 ----a-w- c:\e1e74427d58f4208e6ea\eppmanifest.dll
2010-11-30 19:20 . 2010-11-30 19:20 15248 ----a-w- c:\e1e74427d58f4208e6ea\compappscontent.dll
2010-11-30 19:20 . 2010-11-30 19:20 42568 ----a-w- c:\e1e74427d58f4208e6ea\en-us\setupres.dll.mui
2010-11-14 21:03 . 2010-11-14 21:03 1931264 ----a-w- c:\e1e74427d58f4208e6ea\x86\mp_ambits.msi
2010-04-21 22:53 . 2010-04-21 22:53 707448 ----a-w- c:\e1e74427d58f4208e6ea\x86\legitlib.dll
2010-04-19 18:32 . 2010-04-19 18:32 196416 ----a-w- c:\e1e74427d58f4208e6ea\x86\sqmapi.dll
2010-04-19 18:31 . 2010-04-19 18:31 1850368 ----a-w- c:\e1e74427d58f4208e6ea\x86\dw20shared.msi

---- Directory of C:\ea3921d35ee011167bba99 ----

2010-11-30 19:38 . 2010-11-30 19:38 61 ----a-w- c:\ea3921d35ee011167bba99\setup.ini
2010-11-30 19:35 . 2010-11-30 19:35 31744 ----a-w- c:\ea3921d35ee011167bba99\en-us\epploc_x86.msi
2010-11-30 19:31 . 2010-11-30 19:31 1666048 ----a-w- c:\ea3921d35ee011167bba99\x86\epp.msi
2010-11-30 19:20 . 2010-11-30 19:20 42568 ----a-w- c:\ea3921d35ee011167bba99\setupres.dll
2010-11-30 19:20 . 2010-11-30 19:20 824368 ----a-w- c:\ea3921d35ee011167bba99\x86\setup.exe
2010-11-30 19:20 . 2010-11-30 19:20 335624 ----a-w- c:\ea3921d35ee011167bba99\epplauncher.exe
2010-11-30 19:20 . 2010-11-30 19:20 161024 ----a-w- c:\ea3921d35ee011167bba99\eppmanifest.dll
2010-11-30 19:20 . 2010-11-30 19:20 15248 ----a-w- c:\ea3921d35ee011167bba99\compappscontent.dll
2010-11-30 19:20 . 2010-11-30 19:20 42568 ----a-w- c:\ea3921d35ee011167bba99\en-us\setupres.dll.mui
2010-11-14 21:03 . 2010-11-14 21:03 1931264 ----a-w- c:\ea3921d35ee011167bba99\x86\mp_ambits.msi
2010-04-21 22:53 . 2010-04-21 22:53 707448 ----a-w- c:\ea3921d35ee011167bba99\x86\legitlib.dll
2010-04-19 18:32 . 2010-04-19 18:32 196416 ----a-w- c:\ea3921d35ee011167bba99\x86\sqmapi.dll
2010-04-19 18:31 . 2010-04-19 18:31 1850368 ----a-w- c:\ea3921d35ee011167bba99\x86\dw20shared.msi

---- Directory of C:\eb449fca9fe1e593466462d1 ----

2010-11-30 19:38 . 2010-11-30 19:38 61 ----a-w- c:\eb449fca9fe1e593466462d1\setup.ini
2010-11-30 19:35 . 2010-11-30 19:35 31744 ----a-w- c:\eb449fca9fe1e593466462d1\en-us\epploc_x86.msi
2010-11-30 19:31 . 2010-11-30 19:31 1666048 ----a-w- c:\eb449fca9fe1e593466462d1\x86\epp.msi
2010-11-30 19:20 . 2010-11-30 19:20 42568 ----a-w- c:\eb449fca9fe1e593466462d1\setupres.dll
2010-11-30 19:20 . 2010-11-30 19:20 824368 ----a-w- c:\eb449fca9fe1e593466462d1\x86\setup.exe
2010-11-30 19:20 . 2010-11-30 19:20 335624 ----a-w- c:\eb449fca9fe1e593466462d1\epplauncher.exe
2010-11-30 19:20 . 2010-11-30 19:20 161024 ----a-w- c:\eb449fca9fe1e593466462d1\eppmanifest.dll
2010-11-30 19:20 . 2010-11-30 19:20 15248 ----a-w- c:\eb449fca9fe1e593466462d1\compappscontent.dll
2010-11-30 19:20 . 2010-11-30 19:20 42568 ----a-w- c:\eb449fca9fe1e593466462d1\en-us\setupres.dll.mui
2010-11-14 21:03 . 2010-11-14 21:03 1931264 ----a-w- c:\eb449fca9fe1e593466462d1\x86\mp_ambits.msi
2010-04-21 22:53 . 2010-04-21 22:53 707448 ----a-w- c:\eb449fca9fe1e593466462d1\x86\legitlib.dll
2010-04-19 18:32 . 2010-04-19 18:32 196416 ----a-w- c:\eb449fca9fe1e593466462d1\x86\sqmapi.dll
2010-04-19 18:31 . 2010-04-19 18:31 1850368 ----a-w- c:\eb449fca9fe1e593466462d1\x86\dw20shared.msi

---- Directory of c:\progra~2\gPgGkKf09000 ----

2011-02-15 16:25 . 2011-02-17 12:52 98 ----a-w- c:\progra~2\gPgGkKf09000\gPgGkKf09000


------- Sigcheck -------

[-] 2009-04-11 06:27 . 10829FCDE2D0532C7F388C5E572DBFBC . 2926592 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[-] 2008-10-30 . 54C5430E70FECF8C26CDCBCDE216EF94 . 2927616 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-01-19 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[7] 2007-11-15 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2007-11-15 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[7] 2006-11-02 . FD8C53FB002217F6F888BCF6F5D7084D . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[-] 2008-01-19 . 7A28767CEF683FE01195AE83D8655BC8 . 96768 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2008-01-19 . 101BA3EA053480BB5D957EF37C06B5ED . 96768 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[7] 2006-11-02 . D4385B03E8CCCEE6F0EE249F827C1F3E . 95744 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
2010-06-14 01:10 2734688 ----a-w- c:\program files\Babylon-English\tbBaby.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"cdloader"="c:\users\J C Markell\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-02 68856]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"FormAutoFill"="c:\program files\FormAutoFill\faf.exe" [BU]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-08-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-04-06 439768]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NapsterShell"="c:\program files\Napster\napster.exe" [BU]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [BU]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [BU]

c:\users\J C Markell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2010-3-3 141488]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 135664]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2007-04-06 36312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R2 pr2ah4nb;DiRT Drivers Auto Removal (pr2ah4nb);c:\windows\system32\pr2ah4nb.exe svc [x]
R2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);c:\windows\system32\pr2ah4nc.exe svc [x]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-04-06 39896]
R3 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
R3 klmd24;klmd24;c:\windows\system32\drivers\klmd.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NMSCore;Intel® NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [2007-04-06 313816]
R3 QualityManager;Intel® Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [2007-04-06 272856]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 pe3ah4nb;DiRT Environment Driver (pe3ah4nb);c:\windows\system32\drivers\pe3ah4nb.sys [2007-07-19 64616]
S0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);c:\windows\system32\drivers\pe3ah4nc.sys [2007-05-18 64880]
S0 ps6ah4nb;DiRT Synchronization Driver (ps6ah4nb);c:\windows\system32\drivers\ps6ah4nb.sys [2007-07-31 68224]
S0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);c:\windows\system32\drivers\ps6ah4nc.sys [2007-05-22 55168]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2006-07-11 42392]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-09-27 374152]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-19 5376]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2010-03-16 55016]
S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD.sys [2007-04-09 401408]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-06-05 5504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-02-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-02 20:01]

2011-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]

2011-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\J C Markell\AppData\Roaming\Mozilla\Firefox\Profiles\bss31gje.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-22 08:53:14
ComboFix-quarantined-files.txt 2011-02-22 14:53
ComboFix2.txt 2011-02-21 00:13
ComboFix3.txt 2011-02-20 18:03

Pre-Run: 263,516,614,656 bytes free
Post-Run: 262,430,449,664 bytes free

- - End Of File - - A369BDED8C9F86EC23859F2D4FF9B63E

I will await further instruction. Thank You for your help!
J.C.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:34 AM

Posted 26 February 2011 - 02:45 PM

Thanks for that :)

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\programdata\gPgGkKf09000
FCOPY::
c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe | c:\windows\System32\wininit.exe
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe | c:\windows\explorer.exe
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe | c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea

Edited by teacup61, 26 February 2011 - 02:46 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Jay-C

Jay-C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 27 February 2011 - 09:11 AM

Teacup,

Followed the above instructions as specified, CF did find another update, I allowed it to do so. CF ran as expected and when finished I did another PC restart and some google searches from Firefox. On the 2 search attempt, google redirected me as usual. Virus still active. Here is the CF log:

ComboFix 11-02-26.01 - J C Markell 02/27/2011 7:37.3.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2029.1370 [GMT -6:00]
Running from: c:\users\J C Markell\Desktop\ComboFix.exe
Command switches used :: c:\users\J C Markell\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\gPgGkKf09000
c:\programdata\gPgGkKf09000\gPgGkKf09000

c:\windows\explorer.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe --> c:\windows\System32\wininit.exe
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.

2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\users\J C Markell\AppData\Local\temp
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-27 13:52 . 2011-02-27 13:52 -------- d-----w- c:\users\dave\AppData\Local\temp
2011-02-25 19:08 . 2011-02-25 21:57 -------- d-----w- c:\users\J C Markell\Playlist
2011-02-25 13:06 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{710D1740-87D1-4973-8976-4AE053256C48}\mpengine.dll
2011-02-21 20:54 . 2011-02-24 02:46 -------- d-----w- c:\program files\Color Style Studio
2011-02-20 18:03 . 2011-02-20 18:03 -------- d-----w- c:\users\J C Markell\AppData\Local\Temp(5)
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Conduit
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon-English
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon
2011-02-14 20:07 . 2011-02-14 20:07 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-02-14 20:07 . 2011-02-14 20:08 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-10 21:08 . 2011-02-10 23:34 -------- d-----w- C:\e1e74427d58f4208e6ea
2011-02-08 16:08 . 2011-02-08 18:24 -------- d-----w- C:\ea3921d35ee011167bba99
2011-02-08 15:40 . 2011-02-16 16:35 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-08 15:39 . 2011-02-08 17:54 -------- d-----w- C:\eb449fca9fe1e593466462d1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 23:11 . 2010-06-24 18:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 15:55 . 2011-01-12 09:28 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-21 00:09 . 2010-06-25 20:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-06-25 20:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:49 . 2011-01-12 09:28 1169408 ----a-w- c:\windows\system32\sdclt.exe
.

------- Sigcheck -------

[-] 2008-10-30 . 54C5430E70FECF8C26CDCBCDE216EF94 . 2927616 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-01-19 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[7] 2007-11-15 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2007-11-15 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[7] 2006-11-02 . FD8C53FB002217F6F888BCF6F5D7084D . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[-] 2008-01-19 . 7A28767CEF683FE01195AE83D8655BC8 . 96768 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2008-01-19 . 101BA3EA053480BB5D957EF37C06B5ED . 96768 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[7] 2006-11-02 . D4385B03E8CCCEE6F0EE249F827C1F3E . 95744 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
2010-06-14 01:10 2734688 ----a-w- c:\program files\Babylon-English\tbBaby.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"cdloader"="c:\users\J C Markell\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-02 68856]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"FormAutoFill"="c:\program files\FormAutoFill\faf.exe" [BU]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-08-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-04-06 439768]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NapsterShell"="c:\program files\Napster\napster.exe" [BU]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [BU]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [BU]

c:\users\J C Markell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2010-3-3 141488]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 135664]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2007-04-06 36312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-04-06 39896]
R3 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
R3 klmd24;klmd24;c:\windows\system32\drivers\klmd.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NMSCore;Intel® NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [2007-04-06 313816]
R3 QualityManager;Intel® Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [2007-04-06 272856]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2006-07-11 42392]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-09-27 374152]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-19 5376]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2010-03-16 55016]
S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD.sys [2007-04-09 401408]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-06-05 5504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-02-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-02 20:01]

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\J C Markell\AppData\Roaming\Mozilla\Firefox\Profiles\bss31gje.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-27 07:52
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-27 07:54:06
ComboFix-quarantined-files.txt 2011-02-27 13:54
ComboFix2.txt 2011-02-22 14:53
ComboFix3.txt 2011-02-21 00:13
ComboFix4.txt 2011-02-20 18:03

Pre-Run: 340,715,044,864 bytes free
Post-Run: 340,674,834,432 bytes free

- - End Of File - - 6AA75F46FF79D8543F514C5E006B5FC2

I will await further instruction. Thank You for staying after this with me!

Jay-C.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:34 AM

Posted 02 March 2011 - 04:15 PM

HHmmmm.......

There is no sign *in ComboFix* of a rootkit. Please do this for me :

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

When you do this, be sure to reboot after. ComboFix does a little cleaning as it uninstalls, and I want to get rid of the temp things I see in the report. If the redirects are still there after a reboot, then please download a new ComboFix and run it so I can see if there's anything new.

Do you use the Babylon Search?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Jay-C

Jay-C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 02 March 2011 - 05:52 PM

Teacup,

No I do not need or use Babylon. I did as you specified, uninstalled combofix: Redirect Problem still there.

Redownloaded and ran combofix again, however, when CF did its auto reboot, windows failed to start and recommended I do a system restore. I did. I could not get the log from that CF run as it had yet been generated.

So I tried to run CF again, this time it wanted to update itself and so I allowed it to do so. The second run went as expected and I did an additonal reboot after the CF log was generated. The problem certainly seems to be better. I clicked on 20 different sites and was successful 17 times and only redirected 3 times. Up until today I would say those numbers would be reversed as an average.

Here is the ComboFix log you requested:

ComboFix 11-03-02.01 - J C Markell 03/02/2011 16:17:46.4.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2029.1215 [GMT -6:00]
Running from: c:\users\J C Markell\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.

2011-03-02 22:26 . 2011-03-02 22:28 -------- d-----w- c:\users\J C Markell\AppData\Local\temp
2011-03-02 22:26 . 2011-03-02 22:26 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-03-02 22:26 . 2011-03-02 22:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-02 22:26 . 2011-03-02 22:26 -------- d-----w- c:\users\dave\AppData\Local\temp
2011-03-01 18:53 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B64E543D-E39A-4616-BC33-139555777F5E}\mpengine.dll
2011-02-25 19:08 . 2011-02-25 21:57 -------- d-----w- c:\users\J C Markell\Playlist
2011-02-21 20:54 . 2011-02-28 15:28 -------- d-----w- c:\program files\Color Style Studio
2011-02-20 18:03 . 2011-02-20 18:03 -------- d-----w- c:\users\J C Markell\AppData\Local\Temp(5)
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Conduit
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon-English
2011-02-17 15:03 . 2011-02-17 15:03 -------- d-----w- c:\program files\Babylon
2011-02-14 20:07 . 2011-02-14 20:07 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-02-14 20:07 . 2011-02-14 20:08 -------- d-----w- c:\program files\NVIDIA Corporation
2011-02-10 21:08 . 2011-02-10 23:34 -------- d-----w- C:\e1e74427d58f4208e6ea
2011-02-08 16:08 . 2011-02-08 18:24 -------- d-----w- C:\ea3921d35ee011167bba99
2011-02-08 15:40 . 2011-02-16 16:35 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-08 15:39 . 2011-02-08 17:54 -------- d-----w- C:\eb449fca9fe1e593466462d1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 23:11 . 2010-06-24 18:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 15:55 . 2011-01-12 09:28 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-21 00:09 . 2010-06-25 20:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-06-25 20:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:49 . 2011-01-12 09:28 1169408 ----a-w- c:\windows\system32\sdclt.exe
.

------- Sigcheck -------

[-] 2008-10-30 . 54C5430E70FECF8C26CDCBCDE216EF94 . 2927616 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-01-19 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[7] 2007-11-15 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2007-11-15 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[7] 2006-11-02 . FD8C53FB002217F6F888BCF6F5D7084D . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[-] 2008-01-19 . 7A28767CEF683FE01195AE83D8655BC8 . 96768 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2008-01-19 . 101BA3EA053480BB5D957EF37C06B5ED . 96768 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[7] 2006-11-02 . D4385B03E8CCCEE6F0EE249F827C1F3E . 95744 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]
2010-06-14 01:10 2734688 ----a-w- c:\program files\Babylon-English\tbBaby.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ce18769b-c7fa-42d2-860d-17c4662c70ad}"= "c:\program files\Babylon-English\tbBaby.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"cdloader"="c:\users\J C Markell\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-02 68856]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-08-04 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-04-06 439768]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2010-01-04 86016]

c:\users\J C Markell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2010-3-3 141488]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 135664]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2007-04-06 36312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-04-06 39896]
R3 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
R3 klmd24;klmd24;c:\windows\system32\drivers\klmd.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NMSCore;Intel® NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [2007-04-06 313816]
R3 QualityManager;Intel® Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [2007-04-06 272856]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2006-07-11 42392]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-09-27 374152]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-19 5376]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2010-03-16 55016]
S3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD.sys [2007-04-09 401408]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-06-05 5504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-03-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-02 20:01]

2011-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]

2011-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\J C Markell\AppData\Roaming\Mozilla\Firefox\Profiles\bss31gje.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FormAutoFill - c:\program files\FormAutoFill\faf.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
SafeBoot-klmd24.sys
AddRemove-{D8768524-DE8D-40D3-904B-B1FCC31CF9F9} - c:\program files\InstallShield Installation Information\{D8768524-DE8D-40D3-904B-B1FCC31CF9F9}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 16:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\ehome\ehRecvr.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-03-02 16:34:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-02 22:34

Pre-Run: 328,531,136,512 bytes free
Post-Run: 328,473,698,304 bytes free

- - End Of File - - F184429E42718C99CB195EA8A43F6E87

Thanks Again I will await your advice,
Jay-C

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:34 AM

Posted 02 March 2011 - 07:35 PM

Hi there,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
REGLOCKDEL::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea

Edited by teacup61, 02 March 2011 - 07:35 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users