Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus possibly...


  • This topic is locked This topic is locked
22 replies to this topic

#1 mjkrunner

mjkrunner

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 26 April 2011 - 07:27 PM

I've been having issues with my desktop (Windows XP) for the past week or so. Downloading Malwarebytes' anti-Malware helped for a time (Symantec is my default Anti-virus), but there is something still obviously wrong (tdsskiller would get to 80% then bomb). Characteristics include:

1) Redirection of websites through certain links / occasional popups.

2) Error message "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for he inconvenience" pops up regularly.

3) No sound

4) Bottom of screen goes gray

I am so ready to try ComboFix. Thanks in advance for your assistance.

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 AM

Posted 26 April 2011 - 10:11 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 mjkrunner

mjkrunner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 April 2011 - 06:44 AM

Thanks for the information. I was able to run DDS, though it took quite a bit longer than 3 minutes (more like 15-20 minutes). I will be posting DDS.txt below and attaching Attach.txt as well.

As for GMER, I tried running it twice with the security programs disabled; it started out ok, seemingly running fine. However, it would not complete or was not savable after several hours (the icons on the screen would become unreadable as well). The first time, I was able to save it, but the file had 0 bytes; the second time I was not able to save it at all. For the next attempt (later today), should I both uncheck the "files" box as well as running this in safe mode?

Thank you again for going through this with me - I really appreciate it.

DDS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 22:49:19.46 on Wed 04/27/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2190 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\user\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.

#4 mjkrunner

mjkrunner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 April 2011 - 06:49 AM

Thanks for the information. I was able to run DDS, though it took quite a bit longer than 3 minutes (more like 15-20 minutes). I will be posting DDS.txt below; I am having a problem trying to upload Attach.txt as well - any additional advice?

As for GMER, I tried running it twice with the security programs disabled; it started out ok, seemingly running fine. However, it would not complete or was not savable after several hours (the icons on the screen would become unreadable as well). The first time, I was able to save it, but the file had 0 bytes; the second time I was not able to save it at all. For the next attempt (later today), should I both uncheck the "files" box as well as running this in safe mode?

Thank you again for going through this with me - I really appreciate it.

DDS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 22:49:19.46 on Wed 04/27/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2190 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\user\Desktop\dds.scr
.
============== Pseudo HJT Repor

#5 mjkrunner

mjkrunner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 April 2011 - 09:20 AM

It looks like the entire list for DDS.txt did not make it into the post - I will re-post later when near my infected computer again...

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 AM

Posted 28 April 2011 - 01:02 PM

Yes, those logs are incomplete - I'll look for updates later.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 mjkrunner

mjkrunner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 April 2011 - 06:25 PM

Finally had a chance to get on the desktop again, here is an updated with things:

1)I was able to run DDS, though it took quite a bit longer than 3 minutes (more like 15-20 minutes). I will be posting DDS.txt below.

2) Attach.txt is attached below.

3)As for GMER, the third time was the charm. I ran it with the "Files" box unchecked (but NOT in safe mode). Gmer.txt is posted below.

Thanks again for your assistance and I look forward to hearing back from you.

DDS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 22:49:19.46 on Wed 04/27/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2190 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\user\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [D1T2EUR7FZ] c:\docume~1\user\locals~1\temp\Xpi.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\acrobat 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Gdigifi] rundll32.exe "c:\windows\uzaduwatonu.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [D1T2EUR7FZ] c:\windows\temp\Xpd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: upenn.edu
Trusted Zone: upenn.edu\*.isc-seo
Trusted Zone: upenn.edu\*.med
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237241971078
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237316557066
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.cceb.med.upenn.edu/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: {86190F21-67CA-43AC-A8A2-E5148C5821AA} = 128.91.254.1,128.91.254.4,128.91.2.13
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\z44pe3nk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {822F8765-A480-44C1-AC7B-C00BF029855D} - c:\documents and settings\user\local settings\application data\{822F8765-A480-44C1-AC7B-C00BF029855D}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250820AS rev.3.ADG -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AE09730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ae0fa10]; MOV EAX, [0x8ae0fa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AF0C540]
3 CLASSPNP[0xBA168FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8ADDB270]
\Driver\atapi[0x8AE48520] -> IRP_MJ_CREATE -> 0x8AE09730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AE0957B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:00:31.35 ===============


Gmer.txt
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-28 18:53:52
Windows 5.1.2600 Service Pack 3
Running: 0rvtwojx.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT 8ABD19D8 ZwAlertResumeThread
SSDT 8ABCC5B0 ZwAlertThread
SSDT 8AB87940 ZwAllocateVirtualMemory
SSDT 8AB9DF30 ZwCreateMutant
SSDT 8ABF6AB0 ZwCreateThread
SSDT 8AD80218 ZwFreeVirtualMemory
SSDT 8ABD55C0 ZwImpersonateAnonymousToken
SSDT 8ABD40C0 ZwImpersonateThread
SSDT 8ABFE3C8 ZwMapViewOfSection
SSDT 8ABD70C8 ZwOpenEvent
SSDT 8ABC6538 ZwOpenProcessToken
SSDT 8AD93238 ZwOpenThreadToken
SSDT 8AB9FAD0 ZwResumeThread
SSDT 8ABC9D18 ZwSetContextThread
SSDT 8AD7F960 ZwSetInformationProcess
SSDT 8AC0C698 ZwSetInformationThread
SSDT 8ABD84F8 ZwSuspendProcess
SSDT 8ABCB488 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA3129620]
SSDT 8ABC9E90 ZwTerminateThread
SSDT 8ABC77A8 ZwUnmapViewOfSection
SSDT 8AB9B7C0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB86F2000, 0x1B65CA, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DB000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DA000C
.text C:\WINDOWS\System32\svchost.exe[1164] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E4000A
.text C:\WINDOWS\Explorer.EXE[1924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A
.text C:\WINDOWS\Explorer.EXE[1924] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\Explorer.EXE[1924] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_650_16339.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_650_16339.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_650_16339.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_650_16339.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 AM

Posted 28 April 2011 - 07:04 PM

mjkrunner:

Did you edit the Attach.txt log, or is that what was produced? Please do this:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 mjkrunner

mjkrunner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 April 2011 - 08:16 PM

The attach.txt was exactly as is.

When I started running combofix.exe, it got me to the point of asking to install Microsoft Windows Recovery Console. I said yes, it tried to do so, but then I got an error message stating:

"Extracting file failed. It is most likely caused by low memory (low disc space for swapping file) or corrupted Cabinet file."

After hitting OK, it gives the option to send a message to Microsoft: "extract.cfxxe has encountered a problem and needs to close. We are sorry for the inconvenience". I did not send the error report.

Then a screen pops up "What's next?" Click 'Yes' to continue scanning for malware / Click 'No' to exit. Underneath it, partially hidden is an Error screen that I can't make out what it says. This is where I am now. What is the next step? Thanks.

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 AM

Posted 28 April 2011 - 08:50 PM

mjkrunner:

OK, thanks for trying - let's try a different approach:

Your PC is infected with a rootkit, one that is attached to the Master Boot Record (MBR) of your hard disk. We usually have a good amount of success when it comes to fixing the MBR but the MBR is a delicate area and there is a possibility of data loss and/or have complete PC failure if the disinfection process does not work. Please back up any important data before proceeding.

Please also understand that some PCs have their own proprietary MBR that offer you the ability to boot directly into a Factory Restore Utility. Fixing this proprietary MBR can cause you to lose the ability to boot into the Factory Restore Utility.

Please look over these instructions before you begin and let me know in advance if you have any questions or concerns.

Posted Image Download MBR
  • Save MBR.exe directly to c:\
  • Open notepad and copy/paste the text in the quotebox below into it:

    @echo off
    MBR.exe -c 0 1 MBR_backup.dat

    Save this as dump.bat Choose to "Save type as - All Files"
    It should look like this: Posted Image
    Double click on dump.bat & allow it to run. Two files should be placed on your desktop; leave them be for now.
Posted Image We need to create a boot disk: If this step won't work on the infected PC you will need to use a clean PC to create the disk to use in the infected machine
  • Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.

Posted Image We need to fix your MBR:

  • Restart your computer with the disk you just created in the CDROM drive.
  • If you are prompted to press a key to start the computer from CDROM, do so quickly. Otherwise it may try to boot from the hard drive.
  • After a few minutes, you'll see a prompt to press the R key to start the Recovery Console.
  • When Recovery Console starts, it will prompt you to enter a number corresponding to the Windows XP installation that you need to repair. In most cases, you'll enter "1" (which will be the only choice). ( If you press ENTER without typing a number, Recovery Console will quit and restart your computer.)
  • Enter your Administrator password. If you don't enter the correct password, you cannot continue. (If you did not set a password, just hit enter)
  • At the Recovery Console command prompt, type fixmbr and press Enter, then verify that you want to proceed.
  • when complete, type EXIT and reboot normally.
Your infected MBR will be replaced with a new one, and you should then be able to boot your system normally. In some cases, you may need to repair the boot sector in addition to the MBR. If your system still doesn't boot properly, repeat the steps above, but issue the fixboot command instead.

Let me know once you've successfully completed these steps.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 mjkrunner

mjkrunner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 April 2011 - 09:28 PM

RPMcMurphy -

I got as far as picking Windows Professional SP2 & SP3 for ARCDC on the infected machine, when it gave an error message along the lines:
"Extracting file failed. It is most likely caused by low memory (low disc space for swapping file) or corrupted Cabinet file."

Yet after this, it then brings up a prompt stating:
"The program is creating the ISO File. Would you like to add extra files, or use the default files?", and then gives "Use Default Files" & "Add Extra Files" as options. When I tried this on the uninfected machine, the same thing occurred. Should I pick one of these and go from there?

-mjkrunner

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 AM

Posted 28 April 2011 - 09:41 PM

Select the "Use default files" option.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 mjkrunner

mjkrunner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 April 2011 - 11:24 PM

RPMcMurphy -

I followed your advice, and it seems to have fixed the problem. I will not know for certain until I use it over the next couple of days, but thank you so much for helping me get to this point. Assuming this has remedied the problem, what safeguards would you advise going forward to lessen the chance of something like this happening again?

-mjkrunner

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 AM

Posted 29 April 2011 - 07:30 AM

mjkrunner:

Nicely done! We still have work to do though. Please try to run ComboFix again next and post the log for me.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 mjkrunner

mjkrunner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 01 May 2011 - 02:26 PM

RPMcMurphy -

Was away at a family function, now back to try and finish this off. I ran ComboFix, and the log is posted below.

-mjkrunner


ComboFix 11-04-30.06 - user 05/01/2011 15:12:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2849 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\uzaduwatonu.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 )))))))))))))))))))))))))))))))
.
.
2011-04-29 02:14 . 2011-04-29 02:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-29 02:09 . 2011-04-29 02:09 89088 ----a-w- C:\mbr.exe
2011-04-25 19:27 . 2011-04-25 19:27 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2011-04-25 19:27 . 2011-04-25 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-25 19:27 . 2011-04-25 19:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-23 16:39 . 2011-04-23 16:39 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-23 02:36 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-23 02:36 . 2011-04-23 22:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-23 02:36 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-23 01:07 . 2011-04-23 01:07 60928 ---ha-w- c:\windows\mobsadow.dll
2011-04-23 01:07 . 2011-04-23 01:07 60928 ---ha-w- c:\windows\system32\mobsadow.dll
2011-04-23 01:04 . 2011-05-01 15:18 0 ----a-w- c:\windows\Psaja.bin
2011-04-23 01:04 . 2011-04-23 01:04 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{822F8765-A480-44C1-AC7B-C00BF029855D}
2011-04-18 02:13 . 2011-04-18 02:13 -------- d-----w- c:\documents and settings\user\Application Data\Apple Computer
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-03-16 21:47 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 09:42 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 05:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 09:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2008-04-14 04:07 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-14 04:47 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-14 04:45 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-05-19 12:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-14 09:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 09:42 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 09:41 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 09:41 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2007-04-03 12:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-03-16 21:45 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-24 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Acrobat 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-11-20 00:35 128296 -c--a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-17 19:18 148888 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-17 19:22 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 NEOFLTR_650_16339;Juniper Networks TDI Filter Driver (NEOFLTR_650_16339);c:\windows\system32\drivers\NEOFLTR_650_16339.SYS [2/23/2011 10:51 PM 85360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/31/2011 10:46 AM 102448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/18/2008 5:34 AM 23888]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [3/16/2009 6:18 PM 144480]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: upenn.edu
Trusted Zone: upenn.edu\*.isc-seo
Trusted Zone: upenn.edu\*.med
TCP: {86190F21-67CA-43AC-A8A2-E5148C5821AA} = 128.91.254.1,128.91.254.4,128.91.2.13
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\z44pe3nk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {822F8765-A480-44C1-AC7B-C00BF029855D} - c:\documents and settings\user\Local Settings\Application Data\{822F8765-A480-44C1-AC7B-C00BF029855D}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Gdigifi - c:\windows\uzaduwatonu.dll
Notify-itlntfy - itlnfw32.dll
SafeBoot-Symantec Antvirus
MSConfigStartUp-Dimension4 - c:\progra~1\DIMENS~1.350\D4.exe
MSConfigStartUp-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 15:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,76,fe,19,0a,8b,66,42,b4,71,68,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,76,fe,19,0a,8b,66,42,b4,71,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec Endpoint Protection\Smc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2011-05-01 15:22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-01 19:22
.
Pre-Run: 138,691,239,936 bytes free
Post-Run: 139,292,512,256 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
- - End Of File - - 0C23BA8CA17CB6C6A7EE7B6A82E16CD0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users