Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect, Windows Update issue along with installation problems with ComboFix


  • This topic is locked This topic is locked
28 replies to this topic

#1 svuser

svuser

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 15 April 2011 - 12:58 AM

Hi,
My Operating System is Windows Vista SP2. I am having several issues with my computer although it seems to be working okay speed wise. I think all the issues may be related.

1. Google search links are getting redirected (Very very annoying)
2. Windows Update isn't working (error code 80073EFE)
3. IE stopped working a couple of days back (noticed problem #2 trying to get IE updates to stop IE crashes)

So I googled in a different computer and saw recommendations of malwarebytes (MBAM), GMER and ComboFix. MBAM identified and fixed about 25 infected files. GMER identified a TDL4 (not sure what that means). Anyway next step was to install combofix, but everytime I try to install it, I get blue screen and computer reboots. I disabled all antivirus, firewalls etc and also closed all browsers, then clicked on combofix exe and am still having the same blue screen of death issues.

Please advise.
Thanks

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 PM

Posted 22 April 2011 - 08:04 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 svuser

svuser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 24 April 2011 - 10:01 PM

Hi Gringo_pr,
Thanks for the reply. After I posted on this forum about my problem, I searched some of the other questions on this forum and came across another one that had similar problem and was able to implement solutions suggested there. Now I am able to run combofix. Google links are not getting redirected and windows updates have no trouble either.
But the thing is my IE (8) is still not responding. It works well for about 2 min after I ran combofix, but went back to being slow. I then did a check disk and IE worked well until I reboot the machine and now it isn't working again. Any idea if this is related to my other issues?

Thanks once again for your help.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 PM

Posted 24 April 2011 - 10:05 PM

Hello

I would ike to see the report from the last time combofix was run.

combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\ComboFix.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 svuser

svuser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 25 April 2011 - 10:44 AM

Thanks Gringo,
I just ran Combofix and here's the log.


ComboFix 11-04-18.04 - surya 04/25/2011 10:11:31.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2974.1709 [GMT -5:00]
Running from: c:\users\surya\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-25 15:13 . 2011-04-25 15:13 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-04-25 15:13 . 2011-04-25 15:13 -------- d-----w- c:\users\hpuser\AppData\Local\temp
2011-04-25 15:13 . 2011-04-25 15:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-25 02:08 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-20 17:14 . 2011-04-20 17:14 -------- d-----w- c:\program files\SecurityXploded
2011-04-19 21:47 . 2011-04-19 21:47 -------- d-----w- C:\$RECYCLE(30).BIN
2011-04-19 03:07 . 2011-04-19 03:09 -------- d-----w- C:\WINSSLog
2011-04-16 16:11 . 2011-04-16 16:11 -------- d-----w- c:\program files\ESET
2011-04-16 06:11 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-04-16 06:11 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 06:11 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-16 04:01 . 2011-04-25 15:14 -------- d-----w- c:\users\surya\AppData\Local\temp
2011-04-14 21:57 . 2011-04-14 21:57 -------- d-----w- C:\_OTM
2011-04-14 21:55 . 2011-04-14 21:56 389671928 ----a-w- C:\regback.reg
2011-04-13 20:23 . 2011-04-13 20:23 -------- d-----w- c:\users\surya\AppData\Roaming\Malwarebytes
2011-04-13 20:23 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-13 20:23 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-13 20:23 . 2011-04-14 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-13 03:12 . 2011-04-19 05:24 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-13 03:12 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-10 18:49 . 2011-04-10 18:49 -------- d-----w- c:\program files\Yontoo Layers Client
2011-04-07 07:06 . 2011-04-19 21:18 -------- d-----w- C:\QUARANTINE
2011-04-07 00:26 . 2011-04-07 00:26 -------- d-----w- C:\found.000
2011-04-06 23:52 . 2008-09-29 13:07 90360 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-06 23:52 . 2008-09-29 13:07 74648 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-06 23:52 . 2008-09-29 13:07 64432 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-06 23:52 . 2008-09-29 13:07 42424 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-06 23:52 . 2008-09-29 13:07 67904 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-06 23:52 . 2008-09-29 13:07 62704 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2011-04-06 23:52 . 2008-09-29 13:07 340592 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\Common Files\Cisco Systems
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\McAfee
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\Common Files\McAfee
2011-04-04 22:06 . 2011-04-04 22:06 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Pgevarezatecuxis.bin
2011-04-04 22:06 . 2011-04-04 22:06 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\{F68540C8-6961-4F61-9FC0-729F07B53AE9}
2011-04-04 03:45 . 2011-04-04 03:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-04-03 23:50 . 2011-04-03 23:50 -------- d-----w- c:\windows\Sun
2011-03-27 04:56 . 2011-03-27 04:56 -------- d-----w- c:\users\surya\AppData\Roaming\RunningPillow
2011-03-27 04:55 . 2011-03-27 04:55 -------- d-----w- c:\program files\KingsSmith2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-22 14:13 . 2011-03-23 15:36 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 15:36 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 15:36 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-12 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-03-13 699456]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-24 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-02 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-29 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-29 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-29 154136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2011-03-19 273544]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\users\surya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
WkCalRem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-6-21 46432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^surya^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\surya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 23:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-01-31 06:36 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-03-11 18:54 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 20:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2008-12-17 18:36 50520 ----a-w- c:\users\surya\AppData\Roaming\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-03-10 23:58 136176 ----atw- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-11-11 23:43 288088 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-12 04:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-01-29 22:11 52392 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl204f8f3f;MpKsl204f8f3f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4CAA5548-DFB1-442F-9D2B-9F9831C1EC32}\MpKsl204f8f3f.sys [x]
R1 MpKsl45e425ac;MpKsl45e425ac;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8131EC4D-A710-4EED-BF4C-F04FE0BD3B05}\MpKsl45e425ac.sys [x]
R1 MpKsl993cfa43;MpKsl993cfa43;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BD22CFEC-A1BA-482F-B51F-2348AFF77D30}\MpKsl993cfa43.sys [x]
R1 MpKslab2da7b6;MpKslab2da7b6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{43BF7045-23A0-4C74-914E-570E41EC95C2}\MpKslab2da7b6.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2009-03-13 288112]
R3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\DRIVERS\drxvi314.sys [2009-01-20 233472]
R3 bcmbusctr;Beceem Devices' Enumerator Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2009-01-20 54784]
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\Dfsdks.exe [2009-08-25 406016]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-01-20 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-01-20 8456]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSBXP.sys [2006-12-28 16000]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 MpKsl0b910f8d;MpKsl0b910f8d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1D8D8B90-819A-429B-85E5-8949A47A517A}\MpKsl0b910f8d.sys [2011-04-25 28752]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe [2008-02-12 73728]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-03-26 341328]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-03-27 595248]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-02-07 193840]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-24 52736]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-07-15 112128]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-03-27 40752]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL0B910F8D
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2828981063-1857216495-3614582370-1000Core.job
- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-10 23:58]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2828981063-1857216495-3614582370-1000UA.job
- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-10 23:58]
.
2011-04-25 c:\windows\Tasks\HPCeeScheduleForsurya.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-07-01 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 10:14
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,09,bb,24,24,d6,12,8d,4c,b0,70,29,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,09,bb,24,24,d6,12,8d,4c,b0,70,29,\
.
[HKEY_USERS\S-1-5-21-2828981063-1857216495-3614582370-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ABEAE2B5-A964-6E4B-6001-9415622D1DB9}*]
"hapapnlhdeiabdlb"=hex:69,61,6f,6d,69,61,70,6f,6e,6a,62,6c,6f,61,61,6e,6c,69,
00,00
"fajcglmobndp"=hex:6b,61,69,68,61,67,64,6e,6f,6b,61,67,66,61,64,69,66,6b,6a,62,
70,68,00,00
"fajcdkdekbno"=hex:6f,62,67,68,67,6c,6a,66,67,69,61,6c,63,6a,61,69,66,62,6f,61,
6a,66,6b,6b,70,68,66,63,6c,69,6d,66,66,63,6c,66,64,6b,6e,6a,65,6f,66,63,69,\
"ianbnbofogfjdegfoa"=hex:6b,61,65,6d,6f,61,6a,6f,6a,6c,6f,6e,61,70,66,66,66,65,
66,6c,62,6d,00,00
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4248)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\program files\McAfee\Common Framework\JrMac.dll
.
Completion time: 2011-04-25 10:17:59
ComboFix-quarantined-files.txt 2011-04-25 15:17
ComboFix2.txt 2011-04-19 14:43
ComboFix3.txt 2011-04-19 05:09
ComboFix4.txt 2011-04-18 17:05
ComboFix5.txt 2011-04-19 21:16
.
Pre-Run: 98,609,274,880 bytes free
Post-Run: 98,646,241,280 bytes free
.
- - End Of File - - 375ECAD5EF3097868DC7AC5A15A88D2D

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 PM

Posted 25 April 2011 - 10:53 AM

Greetings

If combofix wants to update please allow it

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\windows\system32\config\systemprofile\AppData\Local\Pgevarezatecuxis.bin

RegNull::
[HKEY_USERS\S-1-5-21-2828981063-1857216495-3614582370-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ABEAE2B5-A964-6E4B-6001-9415622D1DB9}*]


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

Edited by gringo_pr, 25 April 2011 - 10:59 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 svuser

svuser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 25 April 2011 - 11:30 AM

I ran the script with no problems. However before creating logfile, there was an error (windows error) about a program not being able to run..program called PEV.cfxxe (not sure which program is this). After prompting me to close the program a couple of times, it finally opened the log file.

Here is the log file:

ComboFix 11-04-24.06 - surya 04/25/2011 11:12:59.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2974.1565 [GMT -5:00]
Running from: c:\users\surya\Desktop\ComboFix.exe
Command switches used :: c:\users\surya\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\config\systemprofile\AppData\Local\Pgevarezatecuxis.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\config\systemprofile\AppData\Local\Pgevarezatecuxis.bin
.
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-25 16:22 . 2011-04-25 16:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-04-25 16:22 . 2011-04-25 16:22 -------- d-----w- c:\users\hpuser\AppData\Local\temp
2011-04-25 16:22 . 2011-04-25 16:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-25 02:08 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-20 17:14 . 2011-04-20 17:14 -------- d-----w- c:\program files\SecurityXploded
2011-04-19 21:47 . 2011-04-19 21:47 -------- d-----w- C:\$RECYCLE(30).BIN
2011-04-19 03:07 . 2011-04-19 03:09 -------- d-----w- C:\WINSSLog
2011-04-16 16:11 . 2011-04-16 16:11 -------- d-----w- c:\program files\ESET
2011-04-16 06:11 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-04-16 06:11 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 06:11 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-16 04:01 . 2011-04-25 16:22 -------- d-----w- c:\users\surya\AppData\Local\temp
2011-04-14 21:57 . 2011-04-14 21:57 -------- d-----w- C:\_OTM
2011-04-14 21:55 . 2011-04-14 21:56 389671928 ----a-w- C:\regback.reg
2011-04-13 20:23 . 2011-04-13 20:23 -------- d-----w- c:\users\surya\AppData\Roaming\Malwarebytes
2011-04-13 20:23 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-13 20:23 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-13 20:23 . 2011-04-14 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-13 03:12 . 2011-04-19 05:24 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-13 03:12 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-10 18:49 . 2011-04-10 18:49 -------- d-----w- c:\program files\Yontoo Layers Client
2011-04-07 07:06 . 2011-04-19 21:18 -------- d-----w- C:\QUARANTINE
2011-04-07 00:26 . 2011-04-07 00:26 -------- d-----w- C:\found.000
2011-04-06 23:52 . 2008-09-29 13:07 90360 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-06 23:52 . 2008-09-29 13:07 74648 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-06 23:52 . 2008-09-29 13:07 64432 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-06 23:52 . 2008-09-29 13:07 42424 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-06 23:52 . 2008-09-29 13:07 67904 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-06 23:52 . 2008-09-29 13:07 62704 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2011-04-06 23:52 . 2008-09-29 13:07 340592 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\Common Files\Cisco Systems
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\McAfee
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\Common Files\McAfee
2011-04-04 22:06 . 2011-04-04 22:06 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\{F68540C8-6961-4F61-9FC0-729F07B53AE9}
2011-04-04 03:45 . 2011-04-04 03:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-04-03 23:50 . 2011-04-03 23:50 -------- d-----w- c:\windows\Sun
2011-03-27 04:56 . 2011-03-27 04:56 -------- d-----w- c:\users\surya\AppData\Roaming\RunningPillow
2011-03-27 04:55 . 2011-03-27 04:55 -------- d-----w- c:\program files\KingsSmith2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-22 14:13 . 2011-03-23 15:36 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 15:36 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 15:36 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-12 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-03-13 699456]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-24 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-02 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-29 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-29 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-29 154136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2011-03-19 273544]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\users\surya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
WkCalRem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-6-21 46432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^surya^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\surya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 23:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-01-31 06:36 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-03-11 18:54 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 20:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2008-12-17 18:36 50520 ----a-w- c:\users\surya\AppData\Roaming\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-03-10 23:58 136176 ----atw- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-11-11 23:43 288088 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-12 04:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-01-29 22:11 52392 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl204f8f3f;MpKsl204f8f3f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4CAA5548-DFB1-442F-9D2B-9F9831C1EC32}\MpKsl204f8f3f.sys [x]
R1 MpKsl45e425ac;MpKsl45e425ac;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8131EC4D-A710-4EED-BF4C-F04FE0BD3B05}\MpKsl45e425ac.sys [x]
R1 MpKsl993cfa43;MpKsl993cfa43;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BD22CFEC-A1BA-482F-B51F-2348AFF77D30}\MpKsl993cfa43.sys [x]
R1 MpKslab2da7b6;MpKslab2da7b6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{43BF7045-23A0-4C74-914E-570E41EC95C2}\MpKslab2da7b6.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2009-03-13 288112]
R3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\DRIVERS\drxvi314.sys [2009-01-20 233472]
R3 bcmbusctr;Beceem Devices' Enumerator Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2009-01-20 54784]
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\Dfsdks.exe [2009-08-25 406016]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-01-20 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-01-20 8456]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSBXP.sys [2006-12-28 16000]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 MpKsl0b910f8d;MpKsl0b910f8d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1D8D8B90-819A-429B-85E5-8949A47A517A}\MpKsl0b910f8d.sys [2011-04-25 28752]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe [2008-02-12 73728]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-03-26 341328]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-03-27 595248]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-02-07 193840]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-24 52736]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-07-15 112128]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-03-27 40752]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL0B910F8D
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2828981063-1857216495-3614582370-1000Core.job
- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-10 23:58]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2828981063-1857216495-3614582370-1000UA.job
- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-10 23:58]
.
2011-04-25 c:\windows\Tasks\HPCeeScheduleForsurya.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-07-01 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 11:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,09,bb,24,24,d6,12,8d,4c,b0,70,29,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,09,bb,24,24,d6,12,8d,4c,b0,70,29,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-04-25 11:25:14
ComboFix-quarantined-files.txt 2011-04-25 16:25
ComboFix2.txt 2011-04-25 15:17
ComboFix3.txt 2011-04-19 14:43
ComboFix4.txt 2011-04-19 05:09
ComboFix5.txt 2011-04-25 16:11
.
Pre-Run: 98,673,602,560 bytes free
Post-Run: 98,636,152,832 bytes free
.
- - End Of File - - 52B6203B74A60EBA84453CB1372B47E3

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 PM

Posted 25 April 2011 - 12:19 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 svuser

svuser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 25 April 2011 - 12:25 PM

Thanks Gringo. I ran TDSkiller, but it didn't find any infections. Attached the log / report.

Attached Files



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 PM

Posted 25 April 2011 - 12:29 PM

Fix MBR Vista

1.Start your computer from the Windows Vista Installation DVD
2.Press a key when prompted to continue
3.Choose your language, time, keyboard and click Next:
4.Next, click "Repair your Computer":
5.Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
6.From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
7.Type the following into the "Command Prompt Window": and press enter after each line
bootrec.exe /fixmbr

8.Remove the Vista Installation DVD and restart your PC.
[/list]
If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter

bootrec.exe /fixboot
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 svuser

svuser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 25 April 2011 - 12:36 PM

I don't have Vista installation DVD with me. I got vista with my laptop. I don't believe I got OS installation DVD with it. I got the HP recovery scheduled when I got my laptop and it automatically allowed me to take a recovery disk written on D drive though. Should I try from there?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 PM

Posted 25 April 2011 - 12:39 PM

ok lets do this (the scan will take awhile)


I want you to go to this page - http://support.kaspersky.com/viruses/utility

and download and run the Kaspersky Virus Removal Tool (the first one)

it should make a report let me have that report here



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 svuser

svuser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 25 April 2011 - 03:54 PM

Here is the report for important events only. There's another one for all events, but I am having trouble uploading it due to the size. Let me know if you need that one as well.

Attached Files


Edited by svuser, 25 April 2011 - 04:32 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 PM

Posted 25 April 2011 - 05:22 PM

update combofix

I would like you to download an updated virsion of combofix.

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 svuser

svuser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 25 April 2011 - 06:54 PM

Ahh...looks like this one found an infected system file. Here's the log file. Do you think this might have caused the trouble?

ComboFix 11-04-25.01 - surya 04/25/2011 17:58:18.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2974.1650 [GMT -5:00]
Running from: c:\users\surya\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\System32\config\systemprofile\AppData\Local\{F68540C8-6961-4F61-9FC0-729F07B53AE9}
c:\windows\System32\config\systemprofile\AppData\Local\{F68540C8-6961-4F61-9FC0-729F07B53AE9}\chrome.manifest
c:\windows\System32\config\systemprofile\AppData\Local\{F68540C8-6961-4F61-9FC0-729F07B53AE9}\chrome\content\_cfg.js
c:\windows\System32\config\systemprofile\AppData\Local\{F68540C8-6961-4F61-9FC0-729F07B53AE9}\chrome\content\overlay.xul
c:\windows\System32\config\systemprofile\AppData\Local\{F68540C8-6961-4F61-9FC0-729F07B53AE9}\install.rdf
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Parameters
.
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-25 23:09 . 2011-04-25 23:09 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-04-25 23:09 . 2011-04-25 23:09 -------- d-----w- c:\users\hpuser\AppData\Local\temp
2011-04-25 23:09 . 2011-04-25 23:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-25 18:27 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\74404902.sys
2011-04-25 18:27 . 2009-10-10 04:31 311312 ----a-w- c:\windows\system32\drivers\7440490.sys
2011-04-25 18:27 . 2009-09-25 22:59 128016 ----a-w- c:\windows\system32\drivers\74404901.sys
2011-04-25 02:08 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-20 17:14 . 2011-04-20 17:14 -------- d-----w- c:\program files\SecurityXploded
2011-04-19 21:47 . 2011-04-19 21:47 -------- d-----w- C:\$RECYCLE(30).BIN
2011-04-19 03:07 . 2011-04-19 03:09 -------- d-----w- C:\WINSSLog
2011-04-16 16:11 . 2011-04-16 16:11 -------- d-----w- c:\program files\ESET
2011-04-16 06:11 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-04-16 06:11 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 06:11 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-16 04:01 . 2011-04-25 23:35 -------- d-----w- c:\users\surya\AppData\Local\temp
2011-04-14 21:57 . 2011-04-14 21:57 -------- d-----w- C:\_OTM
2011-04-14 21:55 . 2011-04-14 21:56 389671928 ----a-w- C:\regback.reg
2011-04-13 20:23 . 2011-04-13 20:23 -------- d-----w- c:\users\surya\AppData\Roaming\Malwarebytes
2011-04-13 20:23 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-13 20:23 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-13 20:23 . 2011-04-14 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-13 03:12 . 2011-04-19 05:24 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-13 03:12 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-10 18:49 . 2011-04-10 18:49 -------- d-----w- c:\program files\Yontoo Layers Client
2011-04-07 07:06 . 2011-04-19 21:18 -------- d-----w- C:\QUARANTINE
2011-04-07 00:26 . 2011-04-07 00:26 -------- d-----w- C:\found.000
2011-04-06 23:52 . 2008-09-29 13:07 90360 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-06 23:52 . 2008-09-29 13:07 74648 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-06 23:52 . 2008-09-29 13:07 64432 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-06 23:52 . 2008-09-29 13:07 42424 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-06 23:52 . 2008-09-29 13:07 67904 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-06 23:52 . 2008-09-29 13:07 62704 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2011-04-06 23:52 . 2008-09-29 13:07 340592 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\Common Files\Cisco Systems
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\McAfee
2011-04-06 23:50 . 2011-04-06 23:50 -------- d-----w- c:\program files\Common Files\McAfee
2011-04-04 03:45 . 2011-04-04 03:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-04-03 23:50 . 2011-04-03 23:50 -------- d-----w- c:\windows\Sun
2011-03-27 04:56 . 2011-03-27 04:56 -------- d-----w- c:\users\surya\AppData\Roaming\RunningPillow
2011-03-27 04:55 . 2011-03-27 04:55 -------- d-----w- c:\program files\KingsSmith2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-22 14:13 . 2011-03-23 15:36 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 15:36 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 15:36 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-12 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-03-13 699456]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-24 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-02 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-29 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-29 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-29 154136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2011-03-19 273544]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\users\surya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
setup_9.0.0.722_25.04.2011_20-06[1].lnk - c:\users\surya\Desktop\Virus Removal Tool\setup_9.0.0.722_25.04.2011_20-06[1]\startup.exe [2011-4-25 72208]
WkCalRem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-6-21 46432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^surya^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\surya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 23:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-01-31 06:36 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-03-11 18:54 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 20:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2008-12-17 18:36 50520 ----a-w- c:\users\surya\AppData\Roaming\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-03-10 23:58 136176 ----atw- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-11-11 23:43 288088 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-12 04:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-01-29 22:11 52392 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl0b910f8d;MpKsl0b910f8d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1D8D8B90-819A-429B-85E5-8949A47A517A}\MpKsl0b910f8d.sys [x]
R1 MpKsl204f8f3f;MpKsl204f8f3f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4CAA5548-DFB1-442F-9D2B-9F9831C1EC32}\MpKsl204f8f3f.sys [x]
R1 MpKsl45e425ac;MpKsl45e425ac;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8131EC4D-A710-4EED-BF4C-F04FE0BD3B05}\MpKsl45e425ac.sys [x]
R1 MpKsl993cfa43;MpKsl993cfa43;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BD22CFEC-A1BA-482F-B51F-2348AFF77D30}\MpKsl993cfa43.sys [x]
R1 MpKslab2da7b6;MpKslab2da7b6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{43BF7045-23A0-4C74-914E-570E41EC95C2}\MpKslab2da7b6.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2009-03-13 288112]
R3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\DRIVERS\drxvi314.sys [2009-01-20 233472]
R3 bcmbusctr;Beceem Devices' Enumerator Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2009-01-20 54784]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-02-07 193840]
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\Dfsdks.exe [2009-08-25 406016]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-01-20 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-01-20 8456]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSBXP.sys [2006-12-28 16000]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 74404902;74404902 Boot Guard Driver;c:\windows\system32\DRIVERS\74404902.sys [2009-10-22 37392]
S1 74404901;74404901;c:\windows\system32\DRIVERS\74404901.sys [2009-09-25 128016]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe [2008-02-12 73728]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-03-26 341328]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-03-27 595248]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-24 52736]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-07-15 112128]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-03-27 40752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2828981063-1857216495-3614582370-1000Core.job
- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-10 23:58]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2828981063-1857216495-3614582370-1000UA.job
- c:\users\surya\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-10 23:58]
.
2011-04-25 c:\windows\Tasks\HPCeeScheduleForsurya.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-07-01 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,09,bb,24,24,d6,12,8d,4c,b0,70,29,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,09,bb,24,24,d6,12,8d,4c,b0,70,29,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1080)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\vdsldr.exe
.
**************************************************************************
.
Completion time: 2011-04-25 18:43:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-25 23:43
ComboFix2.txt 2011-04-25 16:25
ComboFix3.txt 2011-04-25 15:17
ComboFix4.txt 2011-04-19 14:43
ComboFix5.txt 2011-04-25 22:57
.
Pre-Run: 94,653,046,784 bytes free
Post-Run: 94,535,692,288 bytes free
.
- - End Of File - - 8CF4F575E36CFF08A2891C8BFD74712F




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users