Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware/Virus Infection


  • This topic is locked This topic is locked
47 replies to this topic

#1 hilus

hilus

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 16 May 2011 - 06:52 PM

Hi,

Hope you folks can help with my new problem. Came home from a fishing trip and my wife told me that out computer had been infected with something. She told me that our anti-virus software alerted her to a threat file at which time she denied it access rather than quarantine the file. She then began to experience additional problems and attempted to restart the system to no avail. Upon my inspection, I located through my Avira Anti-virus that I have four (4) hidden files that I do not recognize and failed to completely remove. Furthermore, I periodically receive a Windows Explorer script error and I am unable to view my services under administrative tools. Additionally, both of my browsers (Internet Explorer and Firefox) now redirect and have been hijacked. I did also note that Firefox network settings are set to a proxy server. Any help you could provide would be greatly appreciated. Attached below are the files requested from your tutorial. once again I thank you for all the hard work you all do.

Thank you.

John



GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-16 19:25:55
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD2500JB-00REA0 rev.20.00K20
Running: gmer.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\uwldypog.sys


---- System - GMER 1.0.15 ----

SSDT AA5AEC16 ZwCreateKey
SSDT AA5AEC0C ZwCreateThread
SSDT AA5AEC1B ZwDeleteKey
SSDT AA5AEC25 ZwDeleteValueKey
SSDT AA5AEC2A ZwLoadKey
SSDT AA5AEBF8 ZwOpenProcess
SSDT AA5AEBFD ZwOpenThread
SSDT AA5AEC34 ZwReplaceKey
SSDT AA5AEC2F ZwRestoreKey
SSDT AA5AEC20 ZwSetValueKey
SSDT AA5AEC07 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 1D4 804E2830 2 Bytes [2A, EC] {SUB CH, AH}
.text ntoskrnl.exe!_abnormal_termination + 1D7 804E2833 1 Byte [AA]
.text ntoskrnl.exe!_abnormal_termination + 37C 804E29D8 1 Byte [2F]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8B57360, 0x32DEFD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 012C13A8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 012C1455 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 012C1258 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 012C12D4 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 012C155A C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 012C160F C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 012C14DE C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 012C152C C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[184] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 012C12F8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Documents and Settings\John\Application Data\cleanhlc.exe[328] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 100013A8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Documents and Settings\John\Application Data\cleanhlc.exe[328] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 10001455 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Documents and Settings\John\Application Data\cleanhlc.exe[328] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 10001258 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Documents and Settings\John\Application Data\cleanhlc.exe[328] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 100012D4 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Documents and Settings\John\Application Data\cleanhlc.exe[328] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 1000155A C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Documents and Settings\John\Application Data\cleanhlc.exe[328] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000160F C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Documents and Settings\John\Application Data\cleanhlc.exe[328] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 100014DE C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Documents and Settings\John\Application Data\cleanhlc.exe[328] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 1000152C C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00D613A8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00D61455 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00D61258 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D612D4 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00D6155A C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00D6160F C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00D614DE C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00D6152C C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[456] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D612F8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00F713A8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00F71455 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00F71258 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F712D4 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00F7155A C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00F7160F C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00F714DE C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00F7152C C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[768] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00F712F8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[860] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\WINDOWS\System32\svchost.exe[860] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[860] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\WINDOWS\System32\svchost.exe[860] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00E9000A
.text C:\WINDOWS\System32\svchost.exe[860] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00EA000A
.text C:\WINDOWS\System32\svchost.exe[860] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00EB000A
.text C:\WINDOWS\System32\svchost.exe[860] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FA000A
.text C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 022513A8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 02251455 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 02251258 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 022512D4 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 0225155A C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 0225160F C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 022514DE C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 0225152C C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[1980] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 022512F8 C:\Documents and Settings\John\Application Data\cleanhlc.dll (Disk Space Cleanup HDD Manager for Windows/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A8BD53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A8BD53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A8BD53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A8BD53B

---- Processes - GMER 1.0.15 ----

Process C:\Documents and Settings\John\Application Data\cleanhlc.exe (*** hidden *** ) 328

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@cleanhlc C:\Documents and Settings\John\Application Data\cleanhlc.exe
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\John\Application Data\cleanhlc.exe Disk Hlc Manager for Windows

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\John\Application Data\cleanhlc.dll 53248 bytes executable
File C:\Documents and Settings\John\Application Data\cleanhlc.exe 64000 bytes executable

---- EOF - GMER 1.0.15 ----




.
DDS (Ver_11-03-05.01) - NTFSx86
Run by John at 19:27:54.48 on Mon 05/16/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1569 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Documents and Settings\John\Application Data\cleanhlc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Documents and Settings\John\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Vtelew] rundll32.exe "c:\windows\sermap.dll",Startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Memeo Instant Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [cleanhlc] c:\documents and settings\john\application data\cleanhlc.exe
mRun: [Adobe Updater] "c:\windows\system32\AdbUpdater.exe" -AutoRun
mRun: [Wdavohoqusiw] rundll32.exe "c:\windows\onaqexejivanoqiq.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: dhs.gov\email.tsa
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\f72icyfh.default\
FF - prefs.js: browser.search.selectedEngine - Food Network - Recipes
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\f72icyfh.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-14 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-14 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-14 56816]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\cfrmd.sys --> c:\windows\system32\drivers\CFRMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-6-21 25824]
S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-6-30 14088]
S3 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-14 108289]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2007-3-8 39048]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2001-8-23 14336]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [2006-7-27 3351]
S3 WEBNTACCESS;WEBNTACCESS;\??\c:\program files\msi\live update 3\ntaccess.sys --> c:\program files\msi\live update 3\NTACCESS.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-21 136176]
.
=============== Created Last 30 ================
.
2011-05-16 18:29:53 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-05-16 17:57:45 152576 ----a-w- c:\windows\Pdozab.exe
2011-05-14 11:54:29 0 ----a-w- c:\windows\Yjitoxol.bin
2011-05-14 11:54:26 -------- d-----w- c:\docume~1\john\locals~1\applic~1\{1A66EE91-A0CA-48CA-8798-35E42B691B8F}
2011-05-14 11:53:06 143360 --sha-r- c:\windows\system32\riched323.dll
2011-05-14 11:53:06 143360 --sha-r- c:\windows\system32\MpPrint7.dll
2011-05-14 11:53:06 143360 --sha-r- c:\windows\system32\catsrvut7.dll
2011-05-14 11:51:25 285696 --sh--r- c:\windows\system32\AdbUpdater.exe
2011-05-14 11:51:17 64000 --sh--w- c:\docume~1\john\applic~1\cleanhlc.exe
2011-05-14 11:51:17 53248 --sh--w- c:\docume~1\john\applic~1\cleanhlc.dll
2011-05-09 03:58:13 199613 ----a-w- c:\program files\mozilla firefox\null0.49720605954591024.exe
2011-05-03 14:26:33 -------- d-----w- c:\program files\ESET
.
==================== Find3M ====================
.
2011-02-20 16:02:16 256 ----a-w- c:\windows\system32\pool.bin
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8BD6F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8c3a10]; MOV EAX, [0x8a8c3a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x8A983AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\0000005f[0x8A902908]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37C5] -> [0x8A8FA940]
\Driver\atapi[0x8A9232D0] -> IRP_MJ_CREATE -> 0x8A8BD6F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8BD53B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:29:26.28 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/26/2006 11:02:21 PM
System Uptime: 5/16/2011 6:23:43 PM (1 hours ago)
.
Motherboard: MSI | | MS-6380
Processor: AMD Athlon™ Processor | Socket-A | 1399/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 194.702 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Standard Modem
Device ID: ROOT\MODEM\0000
Manufacturer: (Standard Modem Types)
Name: Standard Modem
PNP Device ID: ROOT\MODEM\0000
Service: Modem
.
==== System Restore Points ===================
.
RP1: 5/16/2011 2:25:50 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
BlackBerry Desktop Software 4.6
BlackBerry Device Software Updater
BlackBerry Device Software v4.5.0 for the BlackBerry 8320 smartphone
BlackBerry v4.2.2 for the 8320 Series Wireless Handheld
Bonjour
Canon FAXPHONE L80
Canon PIXMA iP4000
Canon Utilities Easy-PhotoPrint
CCleaner
Citrix Presentation Server Client
COMODO System - Cleaner
Defraggler
eFile Express 2006
eFile Express 2007
eFile Express 2008
eFile Express 2009
eFile Express 2010
ESET Online Scanner v3
Garmin Communicator Plugin
Garmin POI Loader
Garmin USB Drivers
Garmin WebUpdater
Google Earth
Google Update Helper
HiJackThis
Hotfix for Windows Internet Explorer 7 (KB947864)
ImgBurn
iTunes
Java™ 6 Update 13
JLC Archive
LEGO MINDSTORMS NXT Driver
LEGO MINDSTORMS NXT Dynamic Block Update
LEGO® MINDSTORMS® NXT - English Language Pack
LEGO® MINDSTORMS® NXT Software v1.0
Malwarebytes' Anti-Malware
Memeo Instant Backup
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 4 Client Profile
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.10)
Mozilla Thunderbird (2.0.0.24)
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NETGEAR WG111v3 wireless USB 2.0 adapter
NVIDIA Drivers
Palm Desktop
Platform
QuickTime
Realtek AC'97 Audio
Revo Uninstaller 1.91
Samsung ML-2010 Series
Seagate Dashboard
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows XP (KB913433)
Shutterfly Plugin
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb971933)
VC 9.0 Runtime
VIA Audio Driver Setup Program
VIA Platform Device Manager
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
5/16/2011 5:49:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/16/2011 5:47:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM avgio avipbb CFRMD Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv Tcpip
5/16/2011 5:47:30 PM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
5/16/2011 5:47:30 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/16/2011 5:47:30 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/16/2011 5:47:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/16/2011 5:47:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/16/2011 2:02:16 PM, error: Service Control Manager [7034] - The Seagate Dashboard Service service terminated unexpectedly. It has done this 1 time(s).
5/16/2011 2:02:16 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
5/16/2011 2:02:15 PM, error: Service Control Manager [7034] - The MemeoBackgroundService service terminated unexpectedly. It has done this 1 time(s).
5/16/2011 2:02:15 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
5/16/2011 2:02:15 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
5/16/2011 1:59:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: CFRMD
5/14/2011 2:17:19 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
.
==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:26 PM

Posted 17 May 2011 - 08:37 AM

Hi

Please do the following:

Download Combofix from either of the links below. You must rename it to iexplore before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 17 May 2011 - 10:26 AM

Hi,

Thanks for your reply. I ran combofix as you instructed. Strangely i saved it as you instructed (iexplore) but when it began to initialize it renamed itself back to combofix. after several reboots it deleted numerous files and produced the log below. Also my active desktop is back to normal and on the last reboot a error message popped up saying in was unable to open a .dll file as it was missing. Unfortunately the message disappeared before i could write it down. I am aware that there may be additional cleaning to be done, however any suggestions you can make with any junk I can get rid of. This computer is used by the wife and kids and seems to have accumulated lots of useless stuff. also any recommendations to beef up security would be great. Again hanks for all your help.


ComboFix 11-05-16.02 - John 05/17/2011 10:39:57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1647 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\John\Application Data\cleanhlc.dll
c:\documents and settings\John\Application Data\cleanhlc.exe
c:\documents and settings\John\Application Data\inst.exe
c:\documents and settings\John\Local Settings\Application Data\{1A66EE91-A0CA-48CA-8798-35E42B691B8F}
c:\documents and settings\John\Local Settings\Application Data\{1A66EE91-A0CA-48CA-8798-35E42B691B8F}\chrome.manifest
c:\documents and settings\John\Local Settings\Application Data\{1A66EE91-A0CA-48CA-8798-35E42B691B8F}\chrome\content\_cfg.js
c:\documents and settings\John\Local Settings\Application Data\{1A66EE91-A0CA-48CA-8798-35E42B691B8F}\chrome\content\overlay.xul
c:\documents and settings\John\Local Settings\Application Data\{1A66EE91-A0CA-48CA-8798-35E42B691B8F}\install.rdf
c:\documents and settings\John\WINDOWS
c:\windows\onaqexejivanoqiq.dll
c:\windows\Pdozab.exe
c:\windows\sermap.dll
c:\windows\system32\AdbUpdater.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\ReadMe.txt
c:\windows\system32\User.ini
.
---- Previous Run -------
.
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-04-17 to 2011-05-17 )))))))))))))))))))))))))))))))
.
.
2011-05-16 20:36 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-16 20:36 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-16 20:30 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-05-16 20:28 . 2011-05-16 20:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-16 18:29 . 2011-05-16 18:29 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-05-14 11:54 . 2011-05-16 18:04 0 ----a-w- c:\windows\Yjitoxol.bin
2011-05-14 11:53 . 2011-05-14 11:53 143360 --sha-r- c:\windows\system32\riched323.dll
2011-05-14 11:53 . 2011-05-14 11:53 143360 --sha-r- c:\windows\system32\MpPrint7.dll
2011-05-14 11:53 . 2011-05-14 11:53 143360 --sha-r- c:\windows\system32\catsrvut7.dll
2011-05-09 03:58 . 2011-05-09 03:58 199613 ----a-w- c:\program files\Mozilla Firefox\null0.49720605954591024.exe
2011-05-03 14:26 . 2011-05-03 14:26 -------- d-----w- c:\program files\ESET
2011-04-24 15:36 . 2011-04-25 15:45 -------- d-----w- c:\documents and settings\John\Application Data\ImgBurn
2011-04-24 15:32 . 2011-04-24 15:32 -------- d-----w- c:\program files\ImgBurn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 21:36 . 2009-12-25 16:26 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2009-12-25 16:26 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
------- Sigcheck -------
.
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
[7] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-06-21 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-06-30 79112]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-2-22 2326528]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 20:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MpsOnn]
2007-05-14 18:49 28232 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\MPSONN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-18 03:55 13574144 ------w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-09-18 03:55 86016 ------w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-18 03:55 1657376 ------w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"AntiVirService"=3 (0x3)
"AntiVirScheduler"=3 (0x3)
"wscsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"nwiz"=nwiz.exe /install
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 32256]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 2:13 PM 38144]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [6/21/2010 4:09 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/30/2010 4:38 PM 14088]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys --> c:\windows\system32\drivers\CFRMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/14/2009 10:45 AM 108289]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 3:55 PM 39424]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [3/8/2007 8:20 AM 39048]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/23/2001 8:00 AM 14336]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 4:02 PM 287232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [7/27/2006 8:59 PM 3351]
S3 WEBNTACCESS;WEBNTACCESS;\??\c:\program files\MSI\Live Update 3\NTACCESS.SYS --> c:\program files\MSI\Live Update 3\NTACCESS.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/21/2010 5:46 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2007-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-05-14 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-01-26 21:28]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-21 21:45]
.
.
------- Supplementary Scan -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: dhs.gov\email.tsa
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\f72icyfh.default\
FF - prefs.js: browser.search.selectedEngine - Food Network - Recipes
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Vtelew - c:\windows\sermap.dll
HKLM-Run-cleanhlc - c:\documents and settings\John\Application Data\cleanhlc.exe
HKLM-Run-Adobe Updater - c:\windows\system32\AdbUpdater.exe
HKLM-Run-Wdavohoqusiw - c:\windows\onaqexejivanoqiq.dll
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-aawservice
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\ConverterUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 10:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8A453B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(588)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2320)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\program files\palmOne\PqiIcon.dll
c:\program files\palmOne\UserData.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\locator.exe
c:\program files\Seagate\Seagate Dashboard\MemeoDashboard.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Memeo\AutoBackup\InstantBackup.exe
c:\program files\Memeo\AutoBackup\MemeoUpdater.exe
c:\program files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
.
**************************************************************************
.
Completion time: 2011-05-17 11:03:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-17 15:03
ComboFix2.txt 2006-08-14 16:13
.
Pre-Run: 209,014,824,960 bytes free
Post-Run: 208,867,979,264 bytes free
.
- - End Of File - - 3D8F602B40D3D7DC5F15A536DA773A56

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:26 PM

Posted 17 May 2011 - 11:26 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic397776.html/page__view__findpost__p__2251840

Collect::
c:\windows\system32\riched323.dll
c:\windows\system32\MpPrint7.dll
c:\windows\system32\catsrvut7.dll
c:\program files\Mozilla Firefox\null0.49720605954591024.exe

File::
c:\windows\Yjitoxol.bin

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\aec.sys | c:\windows\system32\drivers\aec.sys


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 17 May 2011 - 09:19 PM

Hi,
Sorry it took so long to get back to you but I ran into a bit of difficulty. when i ran combofix again with your instructions i received an alert that my anti-virus (Avira) software was still on. It was off, however I still had the error message, and as Avira was outdated I uninstalled it. Unfortunately i still received the alert from combofix that it was running, so i ran combofix twice as I was afraid to stop it once it started. Below are the log files from the 2nd combofix run without the script, and the 3rd run with the script you asked for. As per your request I ran Malware bytes, which found nothing and posted the log. The real interesting part was Eset, online scanner, as you will see, it found 20 threats in the form of Trojans. I hope they were removed but I was unable to tell if they were. looking forward to your reply. thanks...

John.....

Combofix Log 2

ComboFix 11-05-17.01 - John 05/17/2011 17:23:40.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1695 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\6to4v32.dll
c:\windows\system32\itlnfw32.dll
c:\windows\system32\itlpfw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-17 to 2011-05-17 )))))))))))))))))))))))))))))))
.
.
2011-05-17 19:16 . 2011-05-17 19:16 8 ----a-w- c:\windows\crpf.bin
2011-05-17 19:16 . 2011-05-17 19:16 4 ----a-w- c:\windows\crpf_sdum.bin
2011-05-16 20:36 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-16 20:36 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-16 20:30 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-05-16 20:28 . 2011-05-16 20:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-16 18:29 . 2011-05-16 18:29 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-05-03 14:26 . 2011-05-03 14:26 -------- d-----w- c:\program files\ESET
2011-04-24 15:36 . 2011-04-25 15:45 -------- d-----w- c:\documents and settings\John\Application Data\ImgBurn
2011-04-24 15:32 . 2011-04-24 15:32 -------- d-----w- c:\program files\ImgBurn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 21:36 . 2009-12-25 16:26 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2009-12-25 16:26 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-06-21 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-06-30 79112]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-2-22 2326528]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 20:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MpsOnn]
2007-05-14 18:49 28232 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\MPSONN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-18 03:55 13574144 ------w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-09-18 03:55 86016 ------w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-18 03:55 1657376 ------w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"AntiVirService"=3 (0x3)
"AntiVirScheduler"=3 (0x3)
"wscsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"nwiz"=nwiz.exe /install
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 32256]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 2:13 PM 38144]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [6/21/2010 4:09 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/30/2010 4:38 PM 14088]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys --> c:\windows\system32\drivers\CFRMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 3:55 PM 39424]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [3/8/2007 8:20 AM 39048]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/23/2001 8:00 AM 14336]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 4:02 PM 287232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [7/27/2006 8:59 PM 3351]
S3 WEBNTACCESS;WEBNTACCESS;\??\c:\program files\MSI\Live Update 3\NTACCESS.SYS --> c:\program files\MSI\Live Update 3\NTACCESS.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/21/2010 5:46 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2007-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-05-17 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-01-26 21:28]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-21 21:45]
.
.
------- Supplementary Scan -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: dhs.gov\email.tsa
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\f72icyfh.default\
FF - prefs.js: browser.search.selectedEngine - Food Network - Recipes
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
- - - - ORPHANS REMOVED - - - -
.
Notify-itlntfy - itlnfw32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 17:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8A453B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(580)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\program files\palmOne\PqiIcon.dll
c:\program files\palmOne\UserData.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\locator.exe
c:\program files\Seagate\Seagate Dashboard\MemeoDashboard.exe
c:\program files\Memeo\AutoBackup\InstantBackup.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
.
**************************************************************************
.
Completion time: 2011-05-17 17:45:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-17 21:45
ComboFix2.txt 2011-05-17 18:39
ComboFix3.txt 2011-05-17 15:04
ComboFix4.txt 2006-08-14 16:13
.
Pre-Run: 209,028,898,816 bytes free
Post-Run: 209,021,661,184 bytes free
.
- - End Of File - - BD8E0274E5178DE9A2F5F82DC76BECBE



Combofix Log 3

ComboFix 11-05-17.01 - John 05/17/2011 18:08:23.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1712 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\cfscript.txt
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\Yjitoxol.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\aec.sys --> c:\windows\system32\drivers\aec.sys
.
((((((((((((((((((((((((( Files Created from 2011-04-17 to 2011-05-17 )))))))))))))))))))))))))))))))
.
.
2011-05-17 19:16 . 2011-05-17 19:16 8 ----a-w- c:\windows\crpf.bin
2011-05-17 19:16 . 2011-05-17 19:16 4 ----a-w- c:\windows\crpf_sdum.bin
2011-05-16 20:36 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-16 20:36 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-16 20:30 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-05-16 20:28 . 2011-05-16 20:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-16 18:29 . 2011-05-16 18:29 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-05-03 14:26 . 2011-05-03 14:26 -------- d-----w- c:\program files\ESET
2011-04-24 15:36 . 2011-04-25 15:45 -------- d-----w- c:\documents and settings\John\Application Data\ImgBurn
2011-04-24 15:32 . 2011-04-24 15:32 -------- d-----w- c:\program files\ImgBurn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 21:36 . 2009-12-25 16:26 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2009-12-25 16:26 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-06-21 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-06-30 79112]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-2-22 2326528]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 20:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MpsOnn]
2007-05-14 18:49 28232 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\MPSONN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-18 03:55 13574144 ------w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-09-18 03:55 86016 ------w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-18 03:55 1657376 ------w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"AntiVirService"=3 (0x3)
"AntiVirScheduler"=3 (0x3)
"wscsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"nwiz"=nwiz.exe /install
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 32256]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 2:13 PM 38144]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [6/21/2010 4:09 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/30/2010 4:38 PM 14088]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys --> c:\windows\system32\drivers\CFRMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 3:55 PM 39424]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [3/8/2007 8:20 AM 39048]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/23/2001 8:00 AM 14336]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 4:02 PM 287232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [7/27/2006 8:59 PM 3351]
S3 WEBNTACCESS;WEBNTACCESS;\??\c:\program files\MSI\Live Update 3\NTACCESS.SYS --> c:\program files\MSI\Live Update 3\NTACCESS.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/21/2010 5:46 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2007-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-05-17 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-01-26 21:28]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-21 21:45]
.
.
------- Supplementary Scan -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: dhs.gov\email.tsa
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\f72icyfh.default\
FF - prefs.js: browser.search.selectedEngine - Food Network - Recipes
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 19:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8B653B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4072)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\program files\palmOne\PqiIcon.dll
c:\program files\palmOne\UserData.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\locator.exe
c:\program files\Seagate\Seagate Dashboard\MemeoDashboard.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Memeo\AutoBackup\InstantBackup.exe
c:\program files\Memeo\AutoBackup\MemeoUpdater.exe
c:\program files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
.
**************************************************************************
.
Completion time: 2011-05-17 19:07:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-17 23:07
ComboFix2.txt 2011-05-17 21:45
ComboFix3.txt 2011-05-17 18:39
ComboFix4.txt 2011-05-17 15:04
ComboFix5.txt 2011-05-17 21:59
.
Pre-Run: 209,020,911,616 bytes free
Post-Run: 209,014,099,968 bytes free
.
- - End Of File - - 8E432C4C42A98DD277995D6847CA59FA




Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6601

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/17/2011 7:29:24 PM
mbam-log-2011-05-17 (19-29-24).txt

Scan type: Quick scan
Objects scanned: 158196
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ESET Scan Results.

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\17\4c8aa751-1d437419 Java/TrojanDownloader.OpenStream.NBV trojan
C:\Qoobox\Quarantine\[4]-Submit_2011-05-17_14.18.09.zip multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\cleanhlc.dll.vir a variant of Win32/Clemag.NAA trojan
C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\cleanhlc.exe.vir a variant of Win32/Clemag.NAB trojan
C:\Qoobox\Quarantine\C\WINDOWS\onaqexejivanoqiq.dll.vir a variant of Win32/Kryptik.NUM trojan
C:\Qoobox\Quarantine\C\WINDOWS\Pdozab.exe.vir Win32/TrojanDownloader.FakeAlert.BGV trojan
C:\Qoobox\Quarantine\C\WINDOWS\sermap.dll.vir a variant of Win32/Kryptik.NTD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir probably a variant of Win32/Wimpixo.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\AdbUpdater.exe.vir a variant of Win32/TrojanDownloader.Agent.QNU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\itlnfw32.dll.vir a variant of Win32/Koblu.A trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP1\A0000007.exe Win32/TrojanDownloader.FakeAlert.BGV trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP1\A0000038.exe Win32/TrojanDownloader.FakeAlert.BGV trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP1\A0000134.dll a variant of Win32/Clemag.NAA trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP1\A0000135.exe a variant of Win32/Clemag.NAB trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP1\A0000138.dll a variant of Win32/Kryptik.NUM trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP1\A0000139.exe Win32/TrojanDownloader.FakeAlert.BGV trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP1\A0000140.dll a variant of Win32/Kryptik.NTD trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP1\A0000141.exe a variant of Win32/TrojanDownloader.Agent.QNU trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP4\A0000855.dll probably a variant of Win32/Wimpixo.AA trojan
C:\System Volume Information\_restore{B72ECC0B-DE17-4EB0-B1E0-01D67D7FEF50}\RP4\A0000856.dll a variant of Win32/Koblu.A trojan

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:26 PM

Posted 17 May 2011 - 10:15 PM

those items detected by ESET are in quarantine or old system restore points, which we will clean up shortly, so we don't have to worry bout them, the other is in the java cache which we will clean now

there are a couple of other entries to delete from the combofix log too

please do the following:

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 25 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 25 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u25 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"itlsvc"=-

NetSvc::
itlperf
itlsvc



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 18 May 2011 - 12:22 AM

Hi
took care of your latest instructions. I uninstalled all java components and installed the latest Java, however as you instructed to delete the temporary files, i was unable to check applications and applets. The check box was grayed out. finally here is the latest combofix log.




ComboFix 11-05-17.01 - John 05/18/2011 0:46.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1714 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\cfscript.txt
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-18 04:29 . 2011-05-18 04:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-18 04:00 . 2011-05-18 04:00 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-05-18 03:47 . 2011-05-18 03:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-18 03:47 . 2011-05-18 03:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-18 03:47 . 2011-05-18 03:47 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-05-17 19:16 . 2011-05-17 19:16 8 ----a-w- c:\windows\crpf.bin
2011-05-17 19:16 . 2011-05-17 19:16 4 ----a-w- c:\windows\crpf_sdum.bin
2011-05-16 20:36 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-16 20:36 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-16 20:30 . 2011-05-16 20:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-05-16 20:28 . 2011-05-16 20:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-16 18:29 . 2011-05-16 18:29 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-05-03 14:26 . 2011-05-03 14:26 -------- d-----w- c:\program files\ESET
2011-04-24 15:36 . 2011-04-25 15:45 -------- d-----w- c:\documents and settings\John\Application Data\ImgBurn
2011-04-24 15:32 . 2011-04-24 15:32 -------- d-----w- c:\program files\ImgBurn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 21:36 . 2009-12-25 16:26 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2009-12-25 16:26 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-17_21.38.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-14 15:23 . 2010-12-20 22:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-05-14 15:23 . 2010-12-20 22:08 20952 c:\windows\system32\drivers\mbam.sys
+ 2011-05-18 04:28 . 2011-05-18 04:28 87699 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2011-04-26 06:51 . 2011-04-26 06:51 98304 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2011-04-26 06:07 . 2011-04-26 06:07 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2011-04-26 06:07 . 2011-04-26 06:07 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
+ 2011-04-26 07:00 . 2011-04-26 07:00 68536 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2011-05-18 04:00 . 2011-05-18 04:00 28160 c:\windows\Installer\ddcc8.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
- 2010-08-18 06:14 . 2010-08-18 06:14 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2011-05-18 04:29 . 2011-05-18 04:29 239776 c:\windows\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2011-05-18 03:47 . 2011-05-18 03:47 157472 c:\windows\system32\javaws.exe
+ 2011-05-18 03:47 . 2011-05-18 03:47 145184 c:\windows\system32\javaw.exe
+ 2011-05-18 03:47 . 2011-05-18 03:47 145184 c:\windows\system32\java.exe
+ 2011-04-26 06:51 . 2011-04-26 06:51 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2010-08-18 06:13 . 2010-08-18 06:13 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2011-04-26 07:00 . 2011-04-26 07:00 469944 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1159620.exe
+ 2011-04-26 06:07 . 2011-04-26 06:07 136568 c:\windows\system32\Adobe\Shockwave 11\SCC.dll
- 2010-08-18 06:02 . 2010-08-18 06:02 136568 c:\windows\system32\Adobe\Shockwave 11\SCC.dll
+ 2011-04-26 06:53 . 2011-04-26 06:53 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
- 2010-08-18 06:14 . 2010-08-18 06:14 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
- 2010-08-18 06:13 . 2010-08-18 06:13 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2011-04-26 06:53 . 2011-04-26 06:53 880640 c:\windows\system32\Adobe\Shockwave 11\gi.dll
- 2010-08-18 06:13 . 2010-08-18 06:13 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2011-04-26 06:51 . 2011-04-26 06:51 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2011-04-26 07:00 . 2011-04-26 07:00 215992 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 135168 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2011-05-18 03:48 . 2011-05-18 03:48 180224 c:\windows\Installer\1c5c4.msi
+ 2011-05-18 03:47 . 2011-05-18 03:47 677376 c:\windows\Installer\1c5bf.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
+ 2011-05-18 04:29 . 2011-05-18 04:29 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-04-26 06:44 . 2011-04-26 06:44 1019904 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2011-04-26 06:07 . 2011-04-26 06:07 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
- 2010-08-18 06:07 . 2010-08-18 06:07 1802240 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2011-04-26 06:46 . 2011-04-26 06:46 1802240 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2011-05-18 04:05 . 2011-05-18 04:05 2283008 c:\windows\Installer\ddd82.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\ddd83.msp
+ 2010-11-10 16:49 . 2010-11-10 16:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-06-21 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-06-30 79112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-2-22 2326528]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 20:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MpsOnn]
2007-05-14 18:49 28232 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\MPSONN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-18 03:55 13574144 ------w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-09-18 03:55 86016 ------w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-18 03:55 1657376 ------w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"AntiVirService"=3 (0x3)
"AntiVirScheduler"=3 (0x3)
"wscsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"nwiz"=nwiz.exe /install
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 32256]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 2:13 PM 38144]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [6/21/2010 4:09 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/30/2010 4:38 PM 14088]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys --> c:\windows\system32\drivers\CFRMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 3:55 PM 39424]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [3/8/2007 8:20 AM 39048]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 4:02 PM 287232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [7/27/2006 8:59 PM 3351]
S3 WEBNTACCESS;WEBNTACCESS;\??\c:\program files\MSI\Live Update 3\NTACCESS.SYS --> c:\program files\MSI\Live Update 3\NTACCESS.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/21/2010 5:46 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2007-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-05-17 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-01-26 21:28]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-21 21:45]
.
.
------- Supplementary Scan -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: dhs.gov\email.tsa
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\f72icyfh.default\
FF - prefs.js: browser.search.selectedEngine - Food Network - Recipes
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 00:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8B653B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(592)
c:\windows\system32\WININET.dll
.
Completion time: 2011-05-18 01:02:29
ComboFix-quarantined-files.txt 2011-05-18 05:02
ComboFix2.txt 2011-05-17 23:07
ComboFix3.txt 2011-05-17 21:45
ComboFix4.txt 2011-05-17 18:39
ComboFix5.txt 2011-05-18 04:36
.
Pre-Run: 208,166,256,640 bytes free
Post-Run: 208,197,562,368 bytes free
.
- - End Of File - - B1F53F6374A95538999A5FE7E1B65A71

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:26 PM

Posted 18 May 2011 - 08:19 AM

How is the computer running now?

Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 18 May 2011 - 08:59 AM

Hi
I'm not sure. I haven't used it much because of what was happening. I've had it disconnected from the internet most of the time. if my last log seems to indicate that all is well, then it must be. I don't want to further impose but can you recommend anti-virus and firewall. also what other things can i do to keep the kids from doing this again.

#10 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 18 May 2011 - 09:08 AM

Also can you recommend any additional cleaning/maintenance, and last night i discovered 3 entries in my services folder that were never there. Under administrative tools>services I found the following.

" Roxio UPNP server 9"
" Roxio UPNP Render 9"
"Liveshare p2p server 9"

How do I delete or remove the entries from my services folder.

Thanks......

Edited by hilus, 18 May 2011 - 09:09 AM.


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:26 PM

Posted 18 May 2011 - 09:11 AM

You have avira which is a very good antivirus, I also think Microsoft Security essentials is excellent and also free if you wanted to switch AV's and see if you like it better (never use more than one AV at a time) Outpost is a very good Firewall, but if you use the Windows Firewall and are behind a secured router, that should be fine


we just have some housekeeping to do now:


You can delete the DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:26 PM

Posted 18 May 2011 - 09:14 AM

Hi

How do I delete or remove the entries from my services folder.


You should be able to right click the item and choose "delete"

If it wont delete, then try deleting in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 18 May 2011 - 09:19 AM

Hi

Ok bad news my internet explorer is not working correctly. I'm getting redirected when I go to sites.

#14 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 18 May 2011 - 09:24 AM

Hi
when I attempted to change the security settings of internet explorer it locked up and gave me a warning that this was not responding and then just shut down (not the computer just IE)

#15 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:04:26 PM

Posted 18 May 2011 - 09:44 AM

Hi,
Sorry but stuff keeps coming up. Last night it was late so I was real tired and I forgot to tell you that the last time i ran combofix it still found something suspicious. I'm wondering if it still hasn't got everything. Also what happened to all of the stuff ESET found. should I do another scan. Thanks for all your help, I know I'm a pain.....

John....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users