Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack and "MS Feeds Synchornization" messages


  • This topic is locked This topic is locked
8 replies to this topic

#1 CriticalDog

CriticalDog

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 20 April 2011 - 01:04 PM

I am attempting to fix my in-laws PC, and my meager skills have run out.

Upon running TDSSKILLER 2.4.7.0 (removed a win32 rootkit of some sort) and MalWareBytes and Super Anti Spyware, I am still getting redirected. In addition, we are getting a recurring window that appears to be a Windows message that states the "Microsoft Feeds Synchronization has encountered a problem". This occurs repeatedly.

MalWareByte and Super Anti Spyware both located and removed various bits and pieces of malware, but items keep re-appearing.

Please find attached the various files and logs as directed in the directions on how to post a help request.

tl;dr version: inlaws PC is borked. HELP!!! :)


************DDS LOG**********
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 13:37:10.00 on Wed 04/20/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.519 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral#Scene_1
uSearch Page = hxxp://www.Google.com/
uSearch Bar = hxxp://www.Google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchMigratedDefaultURL = hxxp://www.Google.com/
uDefault_Search_URL = hxxp://www.Google.com/
mSearch Bar = hxxp://www.Google.com/
mSearchMigratedDefaultURL = hxxp://www.Google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.Google.com/
mSearchURL = hxxp://www.Google.com/
uURLSearchHooks: MapNeto 1.1 Toolbar: {f5046a39-68f3-4732-995f-eb2ea26d93fb} - c:\program files\mapneto_1.1\prxtbMap0.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: MapNeto 1.1 Toolbar: {f5046a39-68f3-4732-995f-eb2ea26d93fb} - c:\program files\mapneto_1.1\prxtbMap0.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: MapNeto 1.1 Toolbar: {f5046a39-68f3-4732-995f-eb2ea26d93fb} - c:\program files\mapneto_1.1\prxtbMap0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.freeonlinegames.com/games/15205/game.html"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm .exe" -startup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemywifi.verizon.net/sdcCommon/download/WIFI/Verizon%20WiFi%20Installer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: itlntfy - itlnfw32.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {ecc974ae-6ede-44a2-90da-93b996d8eaf8} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-10 14336]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2010-9-2 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2010-9-2 185640]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
S1 MpKsl625dbf41;MpKsl625dbf41;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4f28cd12-97e8-46b3-a1a3-2762ff694b5f}\mpksl625dbf41.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4f28cd12-97e8-46b3-a1a3-2762ff694b5f}\MpKsl625dbf41.sys [?]
S1 MpKslab2bfe1c;MpKslab2bfe1c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a386a92b-2b60-43dd-97e9-48d377ea0d64}\mpkslab2bfe1c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a386a92b-2b60-43dd-97e9-48d377ea0d64}\MpKslab2bfe1c.sys [?]
S1 MpKslff35559a;MpKslff35559a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a006d29-ea12-4257-8623-6474590a6f04}\mpkslff35559a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a006d29-ea12-4257-8623-6474590a6f04}\MpKslff35559a.sys [?]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2010-10-13 98304]
.
=============== Created Last 30 ================
.
2011-04-10 04:03:45 118272 ----a-w- c:\windows\system32\drivers\16472.sys
2011-04-09 03:39:31 -------- d-----w- C:\d94f7c54f09699891920
2011-04-08 18:30:33 135168 --sha-r- c:\windows\system32\mshtml6.dll
2011-04-08 18:30:21 215552 ----a-w- c:\windows\system32\itlpfw32.dll
2011-04-08 17:28:30 -------- d-----w- C:\TDSSKiller_Quarantine
2011-04-08 16:52:31 135168 ----a-w- c:\windows\system32\igfxres.dll
2011-04-08 16:44:06 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2011-04-08 16:44:05 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2011-04-08 16:44:05 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2011-04-08 16:44:04 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2011-04-08 16:42:57 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2011-04-08 16:41:58 9216 -c--a-w- c:\windows\system32\dllcache\iwrps.dll
2011-04-08 16:40:58 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2011-04-08 16:34:56 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-04-08 16:34:56 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-04-08 16:18:05 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-04-08 16:18:05 13312 ----a-w- c:\windows\system32\irclass.dll
2011-04-08 16:18:04 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-04-08 16:18:04 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-04-08 16:17:50 13753 ----a-r- c:\windows\SET13C.tmp
2011-04-08 16:17:47 1086058 ----a-r- c:\windows\SET130.tmp
2011-04-08 16:17:47 106147 ----a-r- c:\windows\SET12D.tmp
2011-04-08 12:07:33 -------- d-----w- c:\windows\dell
2011-04-05 04:55:14 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a386a92b-2b60-43dd-97e9-48d377ea0d64}\mpengine.dll
2011-04-05 03:58:35 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-05 03:58:35 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-29 22:21:58 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2011-03-29 22:21:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-29 22:21:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-29 21:13:17 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2011-03-29 21:13:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 21:12:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-29 21:12:53 -------- d-----w- c:\program files\MalMal
.
==================== Find3M ====================
.
2011-04-20 17:08:23 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380819AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86528439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8652e7d0]; MOV EAX, [0x8652e84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Harddisk0\DR0[0x86541030]
3 CLASSPNP[0xF767F05B] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> [0x86561F18]
\Driver\atapi[0x8656BD78] -> IRP_MJ_CREATE -> 0x86528439
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST380819AS______________________________8.04____#5&f85c66f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8652827F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:38:16.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:36 PM

Posted 20 April 2011 - 01:29 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 CriticalDog

CriticalDog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 20 April 2011 - 02:10 PM

Thank you very much for your help! The system seems quite a bit faster, and I haven't gotten the "MS Feeds" error message as of yet. Fingers crossed!

They previously had MS Security Essentials. Would you recommend that over Avast (what I use myself) to avoid this sort of thing in the future?

Combofix log follows:

ComboFix 11-04-20.01 - Owner 04/20/2011 14:51:38.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.665 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Application Data\PriceGong
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\1.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\a.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\b.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\c.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\d.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\e.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\f.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\g.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\h.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\i.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\J.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\k.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\l.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\m.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\n.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\o.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\p.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\q.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\r.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\s.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\t.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\u.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\v.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\w.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\x.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\y.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Owner\Application Data\PriceGong
c:\documents and settings\Owner\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
c:\documents and settings\Owner\Local Settings\Application Data\{056B77EA-C098-4054-9F99-F18575B0DB91}
c:\documents and settings\Owner\Local Settings\Application Data\{056B77EA-C098-4054-9F99-F18575B0DB91}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{056B77EA-C098-4054-9F99-F18575B0DB91}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{056B77EA-C098-4054-9F99-F18575B0DB91}\install.rdf
c:\documents and settings\Owner\System
c:\documents and settings\Owner\System\win_qs8.jqx
c:\windows\system32\itlpfw32.dll
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))
.
.
2011-04-20 13:50 . 2011-04-20 13:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\Verizon
2011-04-10 04:03 . 2011-04-10 04:03 118272 ----a-w- c:\windows\system32\drivers\16472.sys
2011-04-09 03:39 . 2011-04-09 03:39 -------- d-----w- C:\d94f7c54f09699891920
2011-04-08 20:00 . 2011-04-08 20:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-08 18:33 . 2011-04-08 18:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-04-08 18:30 . 2011-04-08 18:30 135168 --sha-r- c:\windows\system32\mshtml6.dll
2011-04-08 17:53 . 2011-04-08 17:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-08 17:28 . 2011-04-08 17:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-04-08 17:28 . 2011-04-08 17:28 -------- d-----w- C:\TDSSKiller_Quarantine
2011-04-08 16:52 . 2005-10-15 02:45 135168 ----a-w- c:\windows\system32\igfxres.dll
2011-04-08 16:44 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2011-04-08 16:44 . 2004-08-10 08:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2011-04-08 16:44 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2011-04-08 16:44 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2011-04-08 16:42 . 2004-08-10 11:00 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2011-04-08 16:41 . 2004-08-10 11:00 9216 -c--a-w- c:\windows\system32\dllcache\iwrps.dll
2011-04-08 16:40 . 2004-08-10 11:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2011-04-08 16:34 . 2004-08-10 11:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-04-08 16:34 . 2004-08-10 11:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-04-08 16:18 . 2004-08-10 11:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-04-08 16:18 . 2004-08-10 11:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-04-08 16:18 . 2004-08-10 11:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-04-08 16:18 . 2004-08-10 11:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-04-08 16:17 . 2004-08-10 11:00 13753 ----a-r- c:\windows\SET13C.tmp
2011-04-08 16:17 . 2004-08-10 11:00 1086058 ----a-r- c:\windows\SET130.tmp
2011-04-08 16:17 . 2004-08-10 11:00 106147 ----a-r- c:\windows\SET12D.tmp
2011-04-08 12:07 . 2011-04-08 12:07 -------- d-----w- c:\windows\dell
2011-04-05 13:29 . 2011-04-20 13:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-05 12:18 . 2011-04-05 12:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-05 04:55 . 2011-03-15 01:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A386A92B-2B60-43DD-97E9-48D377EA0D64}\mpengine.dll
2011-04-05 03:58 . 2011-04-05 03:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-29 22:21 . 2011-03-29 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-03-29 22:21 . 2011-03-29 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-29 22:21 . 2011-04-10 04:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-29 21:13 . 2011-03-29 21:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-03-29 21:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 21:12 . 2011-03-29 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-29 21:12 . 2011-03-29 21:13 -------- d-----w- c:\program files\MalMal
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-20 17:08 . 2011-03-07 13:52 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-01-26 23:05 . 2011-01-26 23:05 65536 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{6916E491-8BBF-4E8A-AFAD-D01307C059E5}\NewShortcut1_9E64A938C044442B9C8C104AA62BD820.exe
2011-01-26 23:05 . 2011-01-26 23:05 65536 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{6916E491-8BBF-4E8A-AFAD-D01307C059E5}\NewShortcut1_011BB310849E4442B8017718F2C57FE0.exe
2011-01-26 23:05 . 2011-01-26 23:05 65536 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{6916E491-8BBF-4E8A-AFAD-D01307C059E5}\ARPPRODUCTICON.exe
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm       .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Microsoft Security Client\msseces .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Verizon\McciTrayApp .exe
c:\program files\Verizon\SmartBridge\MotiveSB .exe
c:\program files\Verizon\VSP\VerizonServicepoint .exe
c:\program files\VERIZONDM\bin\sprtcmd .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
c:\windows\ime\imkr6_1\IMEKRMIG .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f5046a39-68f3-4732-995f-eb2ea26d93fb}"= "c:\program files\MapNeto_1.1\prxtbMap0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{f5046a39-68f3-4732-995f-eb2ea26d93fb}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 22:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f5046a39-68f3-4732-995f-eb2ea26d93fb}]
2011-01-17 14:54 175912 ----a-w- c:\program files\MapNeto_1.1\prxtbMap0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
"{f5046a39-68f3-4732-995f-eb2ea26d93fb}"= "c:\program files\MapNeto_1.1\prxtbMap0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{f5046a39-68f3-4732-995f-eb2ea26d93fb}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
"{F5046A39-68F3-4732-995F-EB2EA26D93FB}"= "c:\program files\MapNeto_1.1\prxtbMap0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{f5046a39-68f3-4732-995f-eb2ea26d93fb}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -startup" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\61806296102818501480995154105645]
c:\program files\Antivirus 2009\av2009.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
c:\program files\AAV\aav.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2006-03-28 23:26 169472 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Metrics]
2003-08-13 15:09 368640 ----a-w- c:\program files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-09 01:20 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 20:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-03-28 23:19 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\PSD\\PSOPENLF.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 11:28 AM 204800]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/2/2010 6:46 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/2/2010 6:46 AM 185640]
S1 MpKsl625dbf41;MpKsl625dbf41;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F28CD12-97E8-46B3-A1A3-2762FF694B5F}\MpKsl625dbf41.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F28CD12-97E8-46B3-A1A3-2762FF694B5F}\MpKsl625dbf41.sys [?]
S1 MpKslab2bfe1c;MpKslab2bfe1c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A386A92B-2B60-43DD-97E9-48D377EA0D64}\MpKslab2bfe1c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A386A92B-2B60-43DD-97E9-48D377EA0D64}\MpKslab2bfe1c.sys [?]
S1 MpKslff35559a;MpKslff35559a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A006D29-EA12-4257-8623-6474590A6F04}\MpKslff35559a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A006D29-EA12-4257-8623-6474590A6F04}\MpKslff35559a.sys [?]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 6:06 PM 98304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-04-20 c:\windows\Tasks\User_Feed_Synchronization-{41F98E7B-9523-4667-8C86-1B9FB442C977}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral#Scene_1
uSearchMigratedDefaultURL = hxxp://www.Google.com/
uDefault_Search_URL = hxxp://www.Google.com/
mSearch Bar = hxxp://www.Google.com/
mSearchMigratedDefaultURL = hxxp://www.Google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.Google.com/
mSearchURL = hxxp://www.Google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SharedTaskScheduler-{ecc974ae-6ede-44a2-90da-93b996d8eaf8} - (no file)
Notify-itlntfy - itlnfw32.dll
SafeBoot-klmdb.sys
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-whitesmoketoolbar - c:\program files\whitesmoketoolbar\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 15:00
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(3752)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\java.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-20 15:04:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-20 19:03
.
Pre-Run: 56,264,044,544 bytes free
Post-Run: 56,364,269,568 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D8329B6A4B272C94A20D0C92629BDCDB

#4 CriticalDog

CriticalDog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 20 April 2011 - 02:42 PM

Ah, the computer still had MS Security essentials. It updated, but was unable to start. And the "MS Feeds Synchronization" messages have started again, which makes me think it may be related to the Security Essentials program? Attempts to access the support page for MSSE resulted in "unable to load page" errors.

Will check back again in a few hours. Thank you again for your help!

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:36 PM

Posted 20 April 2011 - 03:08 PM

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Microsoft Security Client\msseces .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Verizon\McciTrayApp .exe
c:\program files\Verizon\SmartBridge\MotiveSB .exe
c:\program files\Verizon\VSP\VerizonServicepoint .exe
c:\program files\VERIZONDM\bin\sprtcmd .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
c:\windows\ime\imkr6_1\IMEKRMIG .exe


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, and a description of how the PC is behaving.

So long, and thanks for all the fish.

 

 


#6 CriticalDog

CriticalDog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 24 April 2011 - 09:04 AM

My sincere apologies for the delay, I haven't managed to get over there since the last post. I will be headed over shortly, and will post the log results.

Happy Easter, to all the hard working folks here at BleepingComputers!

#7 CriticalDog

CriticalDog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 24 April 2011 - 10:34 AM

Here is the log from the rerun of Combofix, with the appended script.

Note: I first clicked on combofix, and it ran before I dragged the script to it. So Combofix ran, then reran with the script.

As for behavior, I am still getting the Feeds Synchronization error messages, or I was once at least. I have not yet tried to start MS Security Essentials, as I am awaiting further instructions.

*************************************************************

ComboFix 11-04-20.01 - Owner 04/24/2011 11:09:08.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.556 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-22 07:14 . 2011-04-22 07:14 -------- d-----w- c:\program files\MSXML 6.0
2011-04-21 13:43 . 2011-04-21 13:43 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-04-21 13:38 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-04-21 13:26 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-04-21 13:25 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-04-21 13:25 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-04-21 13:25 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-04-21 13:25 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-04-20 19:33 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FEDB2DEA-E425-4863-9B3C-EED63AB6A959}\mpengine.dll
2011-04-20 13:50 . 2011-04-20 13:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\Verizon
2011-04-09 03:39 . 2011-04-09 03:39 -------- d-----w- C:\d94f7c54f09699891920
2011-04-08 20:00 . 2011-04-08 20:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-08 18:33 . 2011-04-08 18:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-04-08 17:53 . 2011-04-08 17:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-08 17:28 . 2011-04-08 17:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-04-08 17:28 . 2011-04-08 17:28 -------- d-----w- C:\TDSSKiller_Quarantine
2011-04-08 16:52 . 2005-10-15 02:45 135168 ----a-w- c:\windows\system32\igfxres.dll
2011-04-08 16:44 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2011-04-08 16:44 . 2004-08-10 08:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2011-04-08 16:44 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2011-04-08 16:44 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2011-04-08 16:42 . 2004-08-10 11:00 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2011-04-08 16:41 . 2004-08-10 11:00 9216 -c--a-w- c:\windows\system32\dllcache\iwrps.dll
2011-04-08 16:40 . 2004-08-10 11:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2011-04-08 16:34 . 2004-08-10 11:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-04-08 16:34 . 2004-08-10 11:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-04-08 16:18 . 2004-08-10 11:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-04-08 16:18 . 2004-08-10 11:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-04-08 16:18 . 2004-08-10 11:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-04-08 16:18 . 2004-08-10 11:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-04-08 16:17 . 2004-08-10 11:00 13753 ----a-r- c:\windows\SET13C.tmp
2011-04-08 16:17 . 2004-08-10 11:00 1086058 ----a-r- c:\windows\SET130.tmp
2011-04-08 16:17 . 2004-08-10 11:00 106147 ----a-r- c:\windows\SET12D.tmp
2011-04-08 12:07 . 2011-04-08 12:07 -------- d-----w- c:\windows\dell
2011-04-05 13:29 . 2011-04-20 13:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-05 12:18 . 2011-04-05 12:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-05 03:58 . 2011-04-05 03:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-29 22:21 . 2011-03-29 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-03-29 22:21 . 2011-03-29 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-29 22:21 . 2011-04-10 04:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-29 21:13 . 2011-03-29 21:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-03-29 21:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 21:12 . 2011-03-29 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-29 21:12 . 2011-03-29 21:13 -------- d-----w- c:\program files\MalMal
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 09:04 . 2004-08-10 11:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-04-20 17:08 . 2011-03-07 13:52 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-03-15 01:05 . 2010-03-27 01:16 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-02 22:11 . 2010-03-26 01:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-26 23:05 . 2011-01-26 23:05 65536 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{6916E491-8BBF-4E8A-AFAD-D01307C059E5}\NewShortcut1_9E64A938C044442B9C8C104AA62BD820.exe
2011-01-26 23:05 . 2011-01-26 23:05 65536 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{6916E491-8BBF-4E8A-AFAD-D01307C059E5}\NewShortcut1_011BB310849E4442B8017718F2C57FE0.exe
2011-01-26 23:05 . 2011-01-26 23:05 65536 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{6916E491-8BBF-4E8A-AFAD-D01307C059E5}\ARPPRODUCTICON.exe
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm       .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Microsoft Security Client\msseces .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Verizon\McciTrayApp .exe
c:\program files\Verizon\SmartBridge\MotiveSB .exe
c:\program files\Verizon\VSP\VerizonServicepoint .exe
c:\program files\VERIZONDM\bin\sprtcmd .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
c:\windows\ime\imkr6_1\IMEKRMIG .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -startup" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\61806296102818501480995154105645]
c:\program files\Antivirus 2009\av2009.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
c:\program files\AAV\aav.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2006-03-28 23:26 169472 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Metrics]
2003-08-13 15:09 368640 ----a-w- c:\program files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-09 01:20 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 20:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-03-28 23:19 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\PSD\\PSOPENLF.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 6:06 PM 98304]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/2/2010 6:46 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/2/2010 6:46 AM 185640]
S1 bovzhxqr;bovzhxqr;\??\c:\windows\system32\drivers\bovzhxqr.sys --> c:\windows\system32\drivers\bovzhxqr.sys [?]
S1 hfqfgqnv;hfqfgqnv;\??\c:\windows\system32\drivers\hfqfgqnv.sys --> c:\windows\system32\drivers\hfqfgqnv.sys [?]
S1 hvobgnmt;hvobgnmt;\??\c:\windows\system32\drivers\hvobgnmt.sys --> c:\windows\system32\drivers\hvobgnmt.sys [?]
S1 MpKsl625dbf41;MpKsl625dbf41;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F28CD12-97E8-46B3-A1A3-2762FF694B5F}\MpKsl625dbf41.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F28CD12-97E8-46B3-A1A3-2762FF694B5F}\MpKsl625dbf41.sys [?]
S1 MpKslab2bfe1c;MpKslab2bfe1c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A386A92B-2B60-43DD-97E9-48D377EA0D64}\MpKslab2bfe1c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A386A92B-2B60-43DD-97E9-48D377EA0D64}\MpKslab2bfe1c.sys [?]
S1 MpKslff35559a;MpKslff35559a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A006D29-EA12-4257-8623-6474590A6F04}\MpKslff35559a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A006D29-EA12-4257-8623-6474590A6F04}\MpKslff35559a.sys [?]
S1 pabtrqzm;pabtrqzm;\??\c:\windows\system32\drivers\pabtrqzm.sys --> c:\windows\system32\drivers\pabtrqzm.sys [?]
S1 rgwicedy;rgwicedy;\??\c:\windows\system32\drivers\rgwicedy.sys --> c:\windows\system32\drivers\rgwicedy.sys [?]
S1 syggviou;syggviou;\??\c:\windows\system32\drivers\syggviou.sys --> c:\windows\system32\drivers\syggviou.sys [?]
S1 tqkgxszx;tqkgxszx;\??\c:\windows\system32\drivers\tqkgxszx.sys --> c:\windows\system32\drivers\tqkgxszx.sys [?]
S1 txrkbvkq;txrkbvkq;\??\c:\windows\system32\drivers\txrkbvkq.sys --> c:\windows\system32\drivers\txrkbvkq.sys [?]
S1 vozgfeti;vozgfeti;\??\c:\windows\system32\drivers\vozgfeti.sys --> c:\windows\system32\drivers\vozgfeti.sys [?]
S1 vuvsnbns;vuvsnbns;\??\c:\windows\system32\drivers\vuvsnbns.sys --> c:\windows\system32\drivers\vuvsnbns.sys [?]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 11:28 AM 204800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-04-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-04-24 c:\windows\Tasks\User_Feed_Synchronization-{41F98E7B-9523-4667-8C86-1B9FB442C977}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral#Scene_1
uSearchMigratedDefaultURL = hxxp://www.Google.com/
uDefault_Search_URL = hxxp://www.Google.com/
mSearch Bar = hxxp://www.Google.com/
mSearchMigratedDefaultURL = hxxp://www.Google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.Google.com/
mSearchURL = hxxp://www.Google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-24 11:13
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-24 11:15:43
ComboFix-quarantined-files.txt 2011-04-24 15:15
ComboFix2.txt 2011-04-24 15:04
ComboFix3.txt 2011-04-20 19:04
.
Pre-Run: 54,582,927,360 bytes free
Post-Run: 54,569,140,224 bytes free
.
- - End Of File - - 1EB0D67DE9EB5E741147813D05B671DA

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:36 PM

Posted 24 April 2011 - 03:00 PM

Good evening. :)

Download a fresh installation file for MSE and then uninstall the existing one and then reinstall it and see how you get on and let me know. You can get a copy of the installation file here

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:36 PM

Posted 29 April 2011 - 01:23 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users