Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can't get rid of Trojan Generic22.eweg


  • This topic is locked This topic is locked
28 replies to this topic

#1 ZeroFlight

ZeroFlight

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 24 May 2011 - 02:00 PM

Ok, first time posting to BC so here goes. The machine had a couple of trojans and malware entries awhile ago. I used a combination of the already installed AVG as well as used Malwarebytes to get rid of them. Also used Stinger later on. After a couple of runs, each came back clean. Now, a week later AVG pops up with Trojan Generic22 pointing to a file that it says either doesn't exist or is locked. Any advice would be greatly appreciated. Attached are the gmer and dds logs as well as a screenshot of the trojan notification.

Thank you,
-ZF

After running gmer, it showed rootkit but I haven't read the log yet to see what.

EDIT: Please be patient. There are over 370 unanswered topics in this forum at present and the current average wait time to receive help is 12 days. ~Budapest

Attached Files


Edited by Budapest, 26 May 2011 - 05:56 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,062 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:27 AM

Posted 02 June 2011 - 03:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 ZeroFlight

ZeroFlight
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 03 June 2011 - 09:16 AM

Ok, new gmer and dds logs. FYI, the first time I ran gmer when I created the topic, it ran fine. This time around it crashed twice and rebooted windows 3 times before it finished.

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 04 June 2011 - 11:16 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Programs > Uninstall a program or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot
Once you've removed AVG with this tool please continue with these instructions
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 ZeroFlight

ZeroFlight
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 06 June 2011 - 12:47 PM

Two notes first. One, the AppRemover link is no longer valid. It's now http://www.appremover.com/get/appremover.exe Second, it didn't even detect AVG nor did AVG care about Combofix.

Ok, now for the combo log.

ComboFix 11-06-06.01 - Administrator 06/06/2011 11:59:34.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3062.1964 [GMT -5:00]
Running from: c:\users\administrator\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
.
---- Previous Run -------
.
c:\program files\INSTALL.LOG
c:\programdata\Microsoft\Windows\Start Menu\Programs\SEE2 USB 2.0 VGA Adapter
c:\users\LDG\g2mdlhlpx.exe
c:\windows\assembly\GAC_MSIL\desktop.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-06-06 17:08 . 2011-06-06 17:08 -------- d-----w- c:\users\wsadmin\AppData\Local\temp
2011-06-06 17:08 . 2011-06-06 17:08 -------- d-----w- c:\users\scanner\AppData\Local\temp
2011-06-06 17:08 . 2011-06-06 17:08 -------- d-----w- c:\users\LDG\AppData\Local\temp
2011-06-06 17:08 . 2011-06-06 17:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\assembly
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\Deployment
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\Apps
2011-05-27 17:45 . 2011-05-27 17:45 -------- d-----w- c:\users\administrator\AppData\Local\Intuit
2011-05-24 12:38 . 2011-05-24 12:38 -------- d-----w- c:\users\LDG\AppData\Roaming\Malwarebytes
2011-05-19 18:21 . 2011-05-19 18:21 -------- d-----w- c:\users\LDG\AppData\Local\AVG Security Toolbar
2011-05-13 22:07 . 2011-06-06 16:02 -------- d-----w- c:\users\administrator\AppData\Roaming\Malwarebytes
2011-05-13 22:05 . 2011-06-02 22:06 -------- d-----w- c:\users\administrator\Tracing
2011-05-11 22:58 . 2011-05-11 22:59 -------- d-----w- c:\users\dan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 20:31 . 2011-04-18 20:31 101 ----a-w- C:\fix.reg
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-06 4374528]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2010-10-22 11937552]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-8-9 25214]
PfxPDFConvertService.exe.lnk - c:\pfx engagement\WM\PfxPDFConvertService.exe [2008-11-14 173568]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-9-11 972064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableBkGndGroupPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 OpenDrvKmd;OpenDrvKmd;c:\users\ADMINI~1\AppData\Local\Temp\CheckModel.tmp\OpenDrvKmd.sys [x]
R3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe [x]
R3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [2008-12-04 140216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
R3 xMrMINI;xMrMINI;c:\windows\system32\DRIVERS\xMrMini.sys [x]
R3 xVGAMINI;xVGAMINI;c:\windows\system32\DRIVERS\xVgaMini.sys [x]
R3 xVGAUSB;USB2.0 VGA DEVICE(USB);c:\windows\system32\drivers\xvgausb.sys [x]
S2 MSSQL$PROFXENGAGEMENT;SQL Server (PROFXENGAGEMENT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 PFXEngDesktopService;PFXEngDesktopService;c:\pfx engagement\Common\PFXEngDesktopService.exe [2008-11-14 429568]
S2 PFXSYNPFTService;PFXSYNPFTService;c:\pfx engagement\Common\PFXSYNPFTService.exe [2008-11-14 438784]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-06 c:\windows\Tasks\User_Feed_Synchronization-{B364B152-0E04-4CE6-9B04-F5430B96D196}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
2011-06-06 c:\windows\Tasks\User_Feed_Synchronization-{FE5D0621-8DA9-43CA-AF40-8F481437B705}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{778D3607-BE1D-4D42-BFF0-CE0120094E91}: NameServer = 192.168.1.47
DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} - hxxps://vault.netvoyage.com/neWeb2/neWebCl.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-06 12:08
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1426590395-2161807218-2885428501-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,07,1c,df,af,b6,a5,4c,4d,8c,f9,31,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,07,1c,df,af,b6,a5,4c,4d,8c,f9,31,\
.
Completion time: 2011-06-06 12:11:37
ComboFix-quarantined-files.txt 2011-06-06 17:11
.
Pre-Run: 13,770,043,392 bytes free
Post-Run: 13,210,910,720 bytes free
.
- - End Of File - - 7EB17C3AD9D8289F0A5278ECE3685576

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 06 June 2011 - 09:40 PM

ZeroFlight:

Thanks for letting me know about the link. AVG was not detected by either app because large parts of it appear to be missing. Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\users\ADMINI~1\AppData\Local\Temp\CheckModel.tmp\OpenDrvKmd.sys
Driver::
OpenDrvKmd

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Edited by RPMcMurphy, 06 June 2011 - 09:40 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 ZeroFlight

ZeroFlight
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 07 June 2011 - 05:06 PM

I forgot to grab the log after running combofix prior to MalwareBytes so I re-ran it after and saved the log from that run. When I ran it for the first time, it wouldn't allow me to - registry entry has been marked for deletion. After rebooting I could though. I did not remove the Qoobox entry.

ComboFix 11-06-06.01 - Administrator 06/07/2011 14:01:02.6.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3062.2076 [GMT -5:00]
Running from: c:\users\administrator\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\system32\Drivers\kqiqdyxd.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-05-07 to 2011-06-07 )))))))))))))))))))))))))))))))
.
.
2011-06-07 19:36 . 2011-06-07 19:36 -------- d-----w- c:\users\wsadmin\AppData\Local\temp
2011-06-07 19:36 . 2011-06-07 19:36 -------- d-----w- c:\users\scanner\AppData\Local\temp
2011-06-07 19:36 . 2011-06-07 19:36 -------- d-----w- c:\users\LDG\AppData\Local\temp
2011-06-07 19:36 . 2011-06-07 19:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-07 16:20 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-07 16:20 . 2011-06-07 16:20 -------- d-----w- c:\programdata\Malwarebytes
2011-06-07 16:20 . 2011-06-07 16:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-07 16:20 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-06 22:35 . 2011-06-07 19:36 -------- d-----w- c:\users\administrator\AppData\Local\temp
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\assembly
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\Deployment
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\Apps
2011-05-27 17:45 . 2011-05-27 17:45 -------- d-----w- c:\users\administrator\AppData\Local\Intuit
2011-05-24 12:38 . 2011-05-24 12:38 -------- d-----w- c:\users\LDG\AppData\Roaming\Malwarebytes
2011-05-19 18:21 . 2011-05-19 18:21 -------- d-----w- c:\users\LDG\AppData\Local\AVG Security Toolbar
2011-05-13 22:07 . 2011-06-07 16:21 -------- d-----w- c:\users\administrator\AppData\Roaming\Malwarebytes
2011-05-13 22:05 . 2011-06-02 22:06 -------- d-----w- c:\users\administrator\Tracing
2011-05-11 22:58 . 2011-05-11 22:59 -------- d-----w- c:\users\dan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 20:31 . 2011-04-18 20:31 101 ----a-w- C:\fix.reg
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-06 4374528]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2010-10-22 11937552]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-8-9 25214]
PfxPDFConvertService.exe.lnk - c:\pfx engagement\WM\PfxPDFConvertService.exe [2008-11-14 173568]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-9-11 972064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableBkGndGroupPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
R3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe [x]
R3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [2008-12-04 140216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
R3 xMrMINI;xMrMINI;c:\windows\system32\DRIVERS\xMrMini.sys [x]
R3 xVGAMINI;xVGAMINI;c:\windows\system32\DRIVERS\xVgaMini.sys [x]
R3 xVGAUSB;USB2.0 VGA DEVICE(USB);c:\windows\system32\drivers\xvgausb.sys [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 MSSQL$PROFXENGAGEMENT;SQL Server (PROFXENGAGEMENT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 PFXEngDesktopService;PFXEngDesktopService;c:\pfx engagement\Common\PFXEngDesktopService.exe [2008-11-14 429568]
S2 PFXSYNPFTService;PFXSYNPFTService;c:\pfx engagement\Common\PFXSYNPFTService.exe [2008-11-14 438784]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-07 c:\windows\Tasks\User_Feed_Synchronization-{B364B152-0E04-4CE6-9B04-F5430B96D196}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
2011-06-07 c:\windows\Tasks\User_Feed_Synchronization-{FE5D0621-8DA9-43CA-AF40-8F481437B705}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{778D3607-BE1D-4D42-BFF0-CE0120094E91}: NameServer = 192.168.1.47
DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} - hxxps://vault.netvoyage.com/neWeb2/neWebCl.cab
FF - ProfilePath - c:\users\LDG\AppData\Roaming\Mozilla\Firefox\Profiles\euilhlhm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d0065a3&v=6.103.018.001&i=29&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-07 14:36
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1426590395-2161807218-2885428501-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,07,1c,df,af,b6,a5,4c,4d,8c,f9,31,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,07,1c,df,af,b6,a5,4c,4d,8c,f9,31,\
.
Completion time: 2011-06-07 14:39:17
ComboFix-quarantined-files.txt 2011-06-07 19:39
ComboFix2.txt 2011-06-07 15:02
ComboFix3.txt 2011-06-06 17:11
.
Pre-Run: 11,447,980,032 bytes free
Post-Run: 11,316,506,624 bytes free
.
- - End Of File - - ECBA3E3D1F711CF619CE1CFDD2C9E0CA

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 07 June 2011 - 11:09 PM

ZeroFlight:

Posted Image One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • How is the computer running?
  • ESET log

Edited by RPMcMurphy, 07 June 2011 - 11:09 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 ZeroFlight

ZeroFlight
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 June 2011 - 08:47 AM

Sorry for the delay. I don't really notice any change in the computer other than the lack of AVG warnings. Performance was never really impacted in the first place. Following is the ESET log. In case you need to know for cleaning, Pfx Engagement is a major program we use used for auditing so it doesn't come from the internet pre-infected.

C:\Pfx Engagement\Common\PFXEngDesktopService.exe Win32/Patched.HN trojan error while cleaning
C:\Pfx Engagement\Common\PFXSYNPFTService.exe Win32/Patched.HN trojan error while cleaning
C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe Win32/Patched.HN trojan error while cleaning
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE Win32/Patched.HN trojan error while cleaning
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe Win32/Patched.HN trojan cleaned - quarantined
C:\Windows\System32\wuauclt.exe Win32/Patched.HN trojan error while cleaning
C:\Windows\System32\drivers\dfsc.sys Win32/Rootkit.Agent.NUS trojan unable to clean
C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.4.7600.226_none_e979223d5b9c821b\wuauclt.exe Win32/Patched.HN trojan error while cleaning
Operating memory Win32/Patched.HN trojan

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 10 June 2011 - 04:25 PM

ZeroFlight:

I'd like to recheck some of those ESET detections - please do this:

Posted Image Go to the Control Panel
  • In the search bar enter Show hidden
  • In the main window click on Folder Options > Show hidden files and folders
  • Change the setting under Hidden files and folders to Show hidden files, folders, or drives
  • Click OK. (Remember to Hide files and folders once done)

Please go to this site to scan the following files:

Virus Total

Click on Browse, and upload the following file for analysis:

C:\Windows\System32\wuauclt.exe
C:\Windows\System32\drivers\dfsc.sys
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE


Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 ZeroFlight

ZeroFlight
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 13 June 2011 - 09:10 AM

Here are the results - dfsc, then mdm, then wuauclt

DFSC
Antivirus Version Last Update Result
AhnLab-V3 2011.06.13.00 2011.06.13 Win-Trojan/Zaccess.51328
AntiVir 7.11.9.167 2011.06.13 TR/Rootkit.Gen
Antiy-AVL 2.0.3.7 2011.06.13 Trojan/Win32.ZAccess.gen
Avast 4.8.1351.0 2011.06.13 Win32:Rootkit-gen
Avast5 5.0.677.0 2011.06.13 Win32:Rootkit-gen
AVG 10.0.0.1190 2011.06.13 BackDoor.Generic13.BKVZ
BitDefender 7.2 2011.06.13 -
CAT-QuickHeal 11.00 2011.06.13 -
ClamAV 0.97.0.0 2011.06.13 -
Commtouch 5.3.2.6 2011.06.13 -
Comodo 9053 2011.06.13 TrojWare.Win32.Rootkit.ZAccess.A
DrWeb 5.0.2.03300 2011.06.13 BackDoor.Maxplus.13
eSafe 7.0.17.0 2011.06.09 Win32.TRRootkit
eTrust-Vet 36.1.8383 2011.06.13 Win32/Sirefef.AF
F-Prot 4.6.2.117 2011.06.13 -
F-Secure 9.0.16440.0 2011.06.13 Backdoor.Generic.668256
Fortinet 4.2.257.0 2011.06.11 W32/ZAccess.C!tr.rkit
GData 22 2011.06.13 Win32:Rootkit-gen
Ikarus T3.1.1.104.0 2011.06.13 Trojan-Dropper.Win32.Sirefef
Jiangmin 13.0.900 2011.06.12 Rootkit.ZAccess.z
K7AntiVirus 9.106.4798 2011.06.10 RootKit
Kaspersky 9.0.0.837 2011.06.13 Rootkit.Win32.ZAccess.c
McAfee 5.400.0.1158 2011.06.13 Generic Rootkit.ev
McAfee-GW-Edition 2010.1D 2011.06.13 Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft 1.6903 2011.06.13 TrojanDropper:Win32/Sirefef.B
NOD32 6203 2011.06.13 Win32/Rootkit.Agent.NUS
Norman 6.07.10 2011.06.13 W32/Suspicious_Gen2.MRGHA
nProtect 2011-06-13.02 2011.06.13 -
Panda 10.0.3.5 2011.06.13 Generic Malware
PCTools 7.0.3.5 2011.06.10 Hacktool.Rootkit
Prevx 3.0 2011.06.13 -
Rising 23.62.00.03 2011.06.13 -
Sophos 4.66.0 2011.06.13 Troj/ZAccess-C
SUPERAntiSpyware 4.40.0.1006 2011.06.13 -
Symantec 20111.1.0.186 2011.06.13 Hacktool.Rootkit
TheHacker 6.7.0.1.230 2011.06.12 Trojan/ZAccess.c
TrendMicro 9.200.0.1012 2011.06.13 TROJ_GEN.R01C2F1
TrendMicro-HouseCall 9.200.0.1012 2011.06.13 TROJ_GEN.R01C2F1
VBA32 3.12.16.1 2011.06.13 Rootkit.ZAccess.c
VIPRE 9570 2011.06.13 Trojan.Win32.Generic!BT
ViRobot 2011.6.13.4509 2011.06.13 -
VirusBuster 14.0.78.0 2011.06.13 Rootkit.ZAccess!RegWCD0MU/A



MDM
AhnLab-V3 2011.06.13.00 2011.06.13 Win-Trojan/Patched.DD
AntiVir 7.11.9.167 2011.06.13 -
Antiy-AVL 2.0.3.7 2011.06.13 -
Avast 4.8.1351.0 2011.06.13 Win32:Patched-WQ
Avast5 5.0.677.0 2011.06.13 Win32:Patched-WQ
AVG 10.0.0.1190 2011.06.13 Win32/Agent.CB
BitDefender 7.2 2011.06.13 Gen:Variant.Kazy.11879
CAT-QuickHeal 11.00 2011.06.13 -
ClamAV 0.97.0.0 2011.06.13 -
Commtouch 5.3.2.6 2011.06.13 -
Comodo 9053 2011.06.13 -
DrWeb 5.0.2.03300 2011.06.13 Trojan.Starter.1695
eSafe 7.0.17.0 2011.06.09 -
eTrust-Vet 36.1.8383 2011.06.13 Win32/Patchload.U
F-Prot 4.6.2.117 2011.06.13 -
F-Secure 9.0.16440.0 2011.06.13 Gen:Variant.Kazy.11879
Fortinet 4.2.257.0 2011.06.11 -
GData 22 2011.06.13 Gen:Variant.Kazy.11879
Ikarus T3.1.1.104.0 2011.06.13 Trojan-Spy.Win32.Zbot
Jiangmin 13.0.900 2011.06.12 TrojanSpy.Zbot.adxr
K7AntiVirus 9.106.4798 2011.06.10 -
Kaspersky 9.0.0.837 2011.06.13 Virus.Win32.Suspic.gen
McAfee 5.400.0.1158 2011.06.13 W32/Katusha
McAfee-GW-Edition 2010.1D 2011.06.13 W32/Katusha
Microsoft 1.6903 2011.06.13 Virus:Win32/Patchload.O
NOD32 6203 2011.06.13 Win32/Patched.HN
Norman 6.07.10 2011.06.13 W32/Zbot.XGR
nProtect 2011-06-13.02 2011.06.13 Trojan/W32.Agent.322120
Panda 10.0.3.5 2011.06.13 W32/Katusha.BN
PCTools 7.0.3.5 2011.06.10 -
Prevx 3.0 2011.06.13 -
Rising 23.62.00.03 2011.06.13 -
Sophos 4.66.0 2011.06.13 -
SUPERAntiSpyware 4.40.0.1006 2011.06.13 -
Symantec 20111.1.0.186 2011.06.13 -
TheHacker 6.7.0.1.230 2011.06.12 -
TrendMicro 9.200.0.1012 2011.06.13 PTCH_KATUSHA.W
TrendMicro-HouseCall 9.200.0.1012 2011.06.13 PTCH_KATUSHA.W
VBA32 3.12.16.1 2011.06.13 -
VIPRE 9570 2011.06.13 Virus.Win32.Agent.mpq (v)
ViRobot 2011.6.13.4509 2011.06.13 Win32.Patched.BE
VirusBuster 14.0.78.0 2011.06.13 Win32.Katusha.Gen

PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0x4C290
timedatestamp....: 0x3C372323 (Sat Jan 05 16:00:35 2002)
machinetype......: 0x14c (I386)
[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x44D70, 0x45000, 6.50, 677f322103f20712c6ff2e0d214d22aa
.data, 0x46000, 0x29A4, 0x3000, 0.94, 32a7a49687c15bd06bde4706450849d3
.rsrc, 0x49000, 0x3A10, 0x4000, 4.63, 7c51f4e4e0bbc963d77cd4fc4832faaf
[[ 9 import(s) ]]
ADVAPI32.dll: RegOpenKeyExW, RegQueryValueExW, QueryServiceStatus, LookupAccountSidA,
PrivilegeCheck, GetSecurityDescriptorLength, IsValidSecurityDescriptor,
InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup,
SetSecurityDescriptorSacl, MakeAbsoluteSD, SetSecurityDescriptorDacl, MakeSelfRelativeSD,
GetLengthSid, InitializeAcl, AddAccessAllowedAce, AddAccessDeniedAce, GetAce, GetUserNameA,
AllocateAndInitializeSid, GetSidLengthRequired, CopySid, FreeSid, LookupAccountNameA,
LookupAccountSidW, IsValidSid, EqualSid, RegConnectRegistryA, RegSetKeySecurity, RegCreateKeyA,
DuplicateToken, RegOpenKeyA, RegQueryValueExA, RegEnumValueA, StartServiceCtrlDispatcherA,
RegisterServiceCtrlHandlerA, CreateServiceA, ChangeServiceConfigA, OpenSCManagerA, OpenServiceA,
CloseServiceHandle, ControlService, DeleteService, RegEnumKeyExA, OpenThreadToken,
GetTokenInformation, LookupPrivilegeValueA, OpenProcessToken, AdjustTokenPrivileges,
SetServiceStatus, RegisterEventSourceA, ReportEventA, DeregisterEventSource, SetThreadToken,
RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA,
RegQueryInfoKeyA, RegEnumKeyA
KERNEL32.dll: HeapCreate, DuplicateHandle, MapViewOfFile, CreateFileMappingA,
GetExitCodeProcess, CreateProcessW, GetStartupInfoA, VirtualFree, QueryPerformanceCounter,
GetSystemTimeAsFileTime, GetOEMCP, GetCPInfo, HeapSize, VirtualAlloc, ExitProcess, RtlUnwind,
HeapReAlloc, WriteFile, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA,
GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount,
GetFileType, TlsFree, TlsSetValue, TlsGetValue, IsBadWritePtr, VirtualProtect, GetSystemInfo,
VirtualQuery, LCMapStringA, LCMapStringW, IsBadReadPtr, IsBadCodePtr, GetStringTypeA,
GetStringTypeW, SetStdHandle, FlushFileBuffers, SetEndOfFile, lstrcpyA, HeapDestroy,
GetCurrentThreadId, InterlockedIncrement, InterlockedExchange, GetACP, GetLocaleInfoA,
GetThreadLocale, GetVersionExA, InterlockedDecrement, FreeLibrary, MultiByteToWideChar,
GetProcAddress, GetModuleFileNameA, GetModuleHandleA, LoadLibraryA, CloseHandle, RaiseException,
WaitForSingleObject, GetLastError, CreateEventA, SetEvent, OpenEventA, TerminateThread,
CreateThread, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection,
DeleteCriticalSection, lstrlenA, GetComputerNameA, WideCharToMultiByte, lstrlenW,
FlushInstructionCache, GetCurrentProcess, HeapAlloc, GetProcessHeap, lstrcmpiA, UnmapViewOfFile,
lstrcatA, LocalFree, FormatMessageA, GetFileAttributesA, GetCurrentThread, lstrcpynA,
IsDBCSLeadByte, SizeofResource, LoadResource, FindResourceA, LoadLibraryExA,
SetUnhandledExceptionFilter, GetCommandLineA, GetCurrentProcessId, SetErrorMode,
GetPrivateProfileStringA, OpenProcess, TerminateProcess, GetProcessTimes, CreateDirectoryA,
GetProfileStringA, WritePrivateProfileStringA, WriteProfileStringA,
GetPrivateProfileSectionNamesA, ResumeThread, HeapFree, LocalAlloc, GetVersion, GetTickCount,
CreateProcessA, LockResource, SetEnvironmentVariableA, GetSystemDirectoryA, ReleaseMutex,
CreateMutexA, GetModuleHandleW, FindClose, FindFirstFileA, LocalSize, ReadFile, SetFilePointer,
CreateFileA, SetLastError, ReadProcessMemory, FindResourceExA, CompareStringA, CompareStringW,
TlsAlloc
ole32.dll: CoTaskMemAlloc, CoTaskMemFree, CoTaskMemRealloc, StringFromGUID2, CoDisconnectObject,
CoUninitialize, CoInitializeEx, CoInitializeSecurity, CoCreateInstanceEx, CoRegisterClassObject,
CoSetProxyBlanket, CoQueryProxyBlanket, CLSIDFromString, StringFromCLSID, StringFromIID,
IIDFromString, CoGetClassObject, CoGetCallContext, CoRevokeClassObject, CoRevertToSelf,
CoCreateGuid, CoImpersonateClient, CoCreateInstance
OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -
RPCRT4.dll: RpcStringFreeA, RpcBindingFromStringBindingA, RpcStringBindingComposeA,
NdrClientCall, RpcBindingSetAuthInfoA
SHELL32.dll: SHGetMalloc, SHGetSpecialFolderLocation, SHBrowseForFolderA, SHGetPathFromIDListA
SHLWAPI.dll: PathFindExtensionA
USER32.dll: UnregisterClassA, wsprintfW, CharUpperA, EnumWindows, GetWindowThreadProcessId,
IsWindowVisible, GetWindowTextA, SetForegroundWindow, EndDialog, EnableWindow, GetParent,
GetWindow, GetWindowRect, SystemParametersInfoA, GetClientRect, MapWindowPoints, SetWindowPos,
GetDlgItem, SetDlgItemTextA, SendDlgItemMessageA, IsDlgButtonChecked, PostThreadMessageA,
KillTimer, GetMessageA, SetTimer, PeekMessageA, SetWindowLongA, CharNextA, MessageBoxA,
LoadStringA, DialogBoxParamA, DispatchMessageA, RegisterWindowMessageA, wsprintfA,
GetWindowLongA, SendMessageA, CheckDlgButton, GetDlgItemInt, GetDlgItemTextA
VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA


wuauclt
AhnLab-V3 2011.06.13.00 2011.06.13 Win-Trojan/Patched.DD
AntiVir 7.11.9.167 2011.06.13 TR/Spy.53472.4
Antiy-AVL 2.0.3.7 2011.06.13 -
Avast 4.8.1351.0 2011.06.13 Win32:Patched-WQ
Avast5 5.0.677.0 2011.06.13 Win32:Patched-WQ
AVG 10.0.0.1190 2011.06.13 Win32/Agent.CB
BitDefender 7.2 2011.06.13 Gen:Trojan.Heur.PT.dq1@b0d2YGji
CAT-QuickHeal 11.00 2011.06.13 -
ClamAV 0.97.0.0 2011.06.13 -
Commtouch 5.3.2.6 2011.06.13 -
Comodo 9053 2011.06.13 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.06.13 Trojan.Starter.1695
Emsisoft 5.1.0.8 2011.06.13 Trojan-Spy.Win32.Zbot!IK
eSafe 7.0.17.0 2011.06.09 -
eTrust-Vet 36.1.8383 2011.06.13 Win32/Patchload.U
F-Prot 4.6.2.117 2011.06.13 -
Fortinet 4.2.257.0 2011.06.11 -
GData 22 2011.06.13 Gen:Trojan.Heur.PT.dq1@b0d2YGji
Ikarus T3.1.1.104.0 2011.06.13 Trojan-Spy.Win32.Zbot
Jiangmin 13.0.900 2011.06.12 TrojanSpy.Zbot.adxr
K7AntiVirus 9.106.4798 2011.06.10 -
Kaspersky 9.0.0.837 2011.06.13 Virus.Win32.Suspic.gen
McAfee 5.400.0.1158 2011.06.13 W32/Katusha
McAfee-GW-Edition 2010.1D 2011.06.13 W32/Katusha
Microsoft 1.6903 2011.06.13 Virus:Win32/Patchload.O
NOD32 6203 2011.06.13 Win32/Patched.HN
Norman 6.07.10 2011.06.13 W32/Zbot.XGR
nProtect 2011-06-13.02 2011.06.13 Trojan/W32.Agent.53472.D
Panda 10.0.3.5 2011.06.13 W32/Katusha.BN
PCTools 7.0.3.5 2011.06.10 -
Prevx 3.0 2011.06.13 -
Rising 23.62.00.03 2011.06.13 -
Sophos 4.66.0 2011.06.13 -
SUPERAntiSpyware 4.40.0.1006 2011.06.13 -
Symantec 20111.1.0.186 2011.06.13 -
TheHacker 6.7.0.1.230 2011.06.12 -
TrendMicro 9.200.0.1012 2011.06.13 PTCH_KATUSHA.W
TrendMicro-HouseCall 9.200.0.1012 2011.06.13 PTCH_KATUSHA.W
VBA32 3.12.16.1 2011.06.13 -
VIPRE 9570 2011.06.13 Trojan.Win32.Generic!BT
ViRobot 2011.6.13.4509 2011.06.13 Win32.Patched.BE
VirusBuster 14.0.78.0 2011.06.13 Win32.Katusha.Gen

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 13 June 2011 - 05:04 PM

ZeroFlight:

Posted Image Delete your existing copy of Combofix and grab a new one from either of the links below, saving it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 ZeroFlight

ZeroFlight
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 14 June 2011 - 02:55 PM

Ok, after a rootkit detection made it reboot, it took over 30 minutes to generate the report starting when it said it was generating the report. Here's the log.

ComboFix 11-06-13.06 - Administrator 06/14/2011 10:40:13.7.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3062.2220 [GMT -5:00]
Running from: c:\users\administrator\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\c_17102.nls
c:\windows\system32\c_44144.nls
c:\windows\system32\config\fomtmfeh
.
Infected copy of c:\windows\system32\drivers\dfsc.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\System32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\wuauclt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-14 to 2011-06-14 )))))))))))))))))))))))))))))))
.
.
2011-06-14 15:45 . 2011-06-14 18:50 -------- d-----w- c:\users\administrator\AppData\Local\temp
2011-06-14 15:45 . 2011-06-14 15:45 -------- d-----w- c:\users\wsadmin\AppData\Local\temp
2011-06-14 15:45 . 2011-06-14 15:45 -------- d-----w- c:\users\scanner\AppData\Local\temp
2011-06-14 15:45 . 2011-06-14 15:45 -------- d-----w- c:\users\LDG\AppData\Local\temp
2011-06-14 15:45 . 2011-06-14 15:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-14 15:45 . 2011-06-14 15:45 -------- d-----w- c:\users\dan\AppData\Local\temp
2011-06-13 13:58 . 2011-06-13 14:03 -------- d-----w- c:\users\administrator\AppData\Local\CutePDF Writer
2011-06-09 00:58 . 2011-06-09 00:58 -------- d-----w- c:\program files\Common Files\Java
2011-06-08 21:37 . 2011-06-08 21:37 -------- d-----w- c:\program files\Java
2011-06-08 19:03 . 2011-06-08 21:37 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-08 19:03 . 2011-06-08 21:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-08 18:25 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-06-08 18:25 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-06-08 18:25 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-08 18:25 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-06-08 18:25 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-06-08 18:25 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-06-08 18:25 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-06-08 18:25 . 2011-02-12 08:39 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-06-08 14:50 . 2011-06-08 14:50 -------- d-----w- c:\program files\ESET
2011-06-07 16:20 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-07 16:20 . 2011-06-07 16:20 -------- d-----w- c:\programdata\Malwarebytes
2011-06-07 16:20 . 2011-06-09 14:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-07 16:20 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\assembly
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\Deployment
2011-06-01 15:09 . 2011-06-01 15:09 -------- d-----w- c:\users\administrator\AppData\Local\Apps
2011-05-27 17:45 . 2011-05-27 17:45 -------- d-----w- c:\users\administrator\AppData\Local\Intuit
2011-05-24 12:38 . 2011-05-24 12:38 -------- d-----w- c:\users\LDG\AppData\Roaming\Malwarebytes
2011-05-19 18:21 . 2011-05-19 18:21 -------- d-----w- c:\users\LDG\AppData\Local\AVG Security Toolbar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 20:31 . 2011-04-18 20:31 101 ----a-w- C:\fix.reg
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-06 4374528]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2011-04-23 12021008]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-8-9 25214]
PfxPDFConvertService.exe.lnk - c:\pfx engagement\WM\PfxPDFConvertService.exe [2008-11-14 173568]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-9-11 972064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableBkGndGroupPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-14 c:\windows\Tasks\User_Feed_Synchronization-{B364B152-0E04-4CE6-9B04-F5430B96D196}.job
- c:\windows\system32\msfeedssync.exe [2011-06-08 04:43]
.
2011-06-14 c:\windows\Tasks\User_Feed_Synchronization-{FE5D0621-8DA9-43CA-AF40-8F481437B705}.job
- c:\windows\system32\msfeedssync.exe [2011-06-08 04:43]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{778D3607-BE1D-4D42-BFF0-CE0120094E91}: NameServer = 192.168.1.47,192.168.1.46
DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} - hxxps://vault.netvoyage.com/neWeb2/neWebCl.cab
FF - ProfilePath - c:\users\LDG\AppData\Roaming\Mozilla\Firefox\Profiles\euilhlhm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d0065a3&v=6.103.018.001&i=29&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-14 13:50
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1426590395-2161807218-2885428501-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,07,1c,df,af,b6,a5,4c,4d,8c,f9,31,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,65,e9,11,b3,0d,4a,fb,4b,b3,1e,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,65,e9,11,b3,0d,4a,fb,4b,b3,1e,7e,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\pfx engagement\Common\PFXEngDesktopService.exe
c:\pfx engagement\Common\PFXSYNPFTService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\RtHDVCpl.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2011-06-14 13:54:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-14 18:54
ComboFix2.txt 2011-06-07 19:39
ComboFix3.txt 2011-06-07 15:02
ComboFix4.txt 2011-06-06 17:11
.
Pre-Run: 9,288,908,800 bytes free
Post-Run: 9,230,008,320 bytes free
.
- - End Of File - - 584EAF18F82AFC7ADA1617ABD56E5288

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 14 June 2011 - 09:35 PM

ZeroFlight:

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\fix.reg"

Posted Image Please run another ESET scan for me and post the results. This time please uncheck the option to remove threats so nothing legit gets accidentally removed.

Please include the following in your next post:
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 ZeroFlight

ZeroFlight
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 15 June 2011 - 11:29 AM

When running the command it gave an error saying it couldn't because the registry entry was marked for deletion. After rebooting I ran the command and it completed. Because I didn't run it from within a command window instead using run like your script, the screen disappeared before I could see if it was successful or not. Here's the new ESET.

C:\Pfx Engagement\Common\PFXEngDesktopService.exe Win32/Patched.HN trojan error while cleaning
C:\Pfx Engagement\Common\PFXSYNPFTService.exe Win32/Patched.HN trojan error while cleaning
C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe Win32/Patched.HN trojan error while cleaning
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE Win32/Patched.HN trojan error while cleaning
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\wuauclt.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\dfsc.sys.vir Win32/Rootkit.Agent.NUS trojan cleaned by deleting - quarantined
C:\Windows\System32\drivers\dfsc.sys Win32/Rootkit.Agent.NUS trojan unable to clean
C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.4.7600.226_none_e979223d5b9c821b\wuauclt.exe Win32/Patched.HN trojan error while cleaning




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users