Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google keeps redirecting & ads play through speakers


  • This topic is locked This topic is locked
14 replies to this topic

#1 Gaz957

Gaz957

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 25 May 2011 - 11:50 PM

About a month ago I got some bad adware, after system restoring to well before the point that the fact that I had adware became apparant I only had 3 symptoms left:
1. Google redirects (annoying but possible to get around)
2. Advertisments for moderatley respectable companies kept playing out the speakers
3. World of Warcraft kept crashing as soon as I logged in (posted on wow tech forums, they told me it was the infection)

I have run many virus/adware scans (synmantec, adaware, spybot, malware bytes) etc but nothing really fixes these issues.

DDS log:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Richard at 17:22:15 on 2011-05-25
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3326.1579 [GMT 9.5:30]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
c:\windows\explorer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Richard\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=c:\windows\explorer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON WorkForce 520 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigis.exe /fu "c:\windows\temp\E_S7E6.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
StartupFolder: c:\users\richard\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\richard\appdata\roaming\mozilla\firefox\profiles\j9rek780.default\
FF - prefs.js: browser.startup.homepage - hxxp://au.yahoo.com/|https://auth.adelaide.edu.au/login?service=https%3A%2F%2Funified.adelaide.edu.au%2Fc%2Fportal%2Flogin
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\richard\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-4-20 64512]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-7-24 73728]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50ST7.EXE [2011-1-4 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50RP7.EXE [2011-1-4 121856]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-19 2151128]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-7-23 27648]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-18 1153368]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-3-17 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-9 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-22 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-3-17 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-22 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-19 15232]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-25 07:50:39 54016 ----a-w- c:\windows\system32\drivers\wlcjwkci.sys
2011-05-25 07:04:34 -------- d-----w- c:\users\richard\appdata\local\{C348EA99-C45D-434D-8B98-FF3EF0C3D99B}
2011-05-20 22:09:21 -------- d-----w- c:\users\richard\appdata\roaming\Edtar
2011-05-20 22:09:21 -------- d-----w- c:\users\richard\appdata\roaming\Diez
2011-05-20 02:31:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-20 00:54:28 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-05-20 00:53:20 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-20 00:53:16 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-20 00:53:16 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-05-20 00:53:11 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-05-20 00:53:10 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-05-20 00:53:05 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-20 00:53:05 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-20 00:53:04 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-20 00:53:04 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-20 00:52:58 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-05-20 00:52:58 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-05-20 00:52:53 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-05-20 00:52:53 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-05-20 00:52:52 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-05-20 00:51:57 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-20 00:41:11 -------- d-----w- c:\users\richard\appdata\local\{837F772D-27CE-40BC-920E-AEDF41E6256E}
2011-05-18 14:43:12 -------- d-----w- c:\users\richard\appdata\roaming\Erkyhi
2011-05-16 13:56:02 7071056 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{571afdaf-9d08-46c5-97b4-6f5bac7df85a}\mpengine.dll
2011-05-16 13:42:25 -------- d-----w- c:\users\richard\appdata\local\{89A9A1D9-05A2-41E6-A269-56B3CF643A6F}
2011-05-15 03:15:06 -------- d-----w- c:\users\richard\appdata\roaming\Windows Live Writer
2011-05-15 03:15:06 -------- d-----w- c:\users\richard\appdata\local\Windows Live Writer
2011-05-08 09:20:01 -------- d-----w- c:\users\richard\appdata\roaming\MathWorks
2011-05-08 08:51:16 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-05-08 08:51:15 407104 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2011-05-08 08:51:13 647872 ----a-w- c:\windows\system32\mscomct2.ocx
2011-05-08 08:29:50 -------- d-----w- c:\program files\MATLAB
2011-05-08 05:51:14 -------- d-----w- c:\program files\uTorrent
2011-05-08 05:50:38 -------- d-----w- c:\users\richard\appdata\roaming\uTorrent
2011-05-06 01:04:31 -------- d-----w- c:\users\richard\appdata\local\{5A7D9953-A1FC-4D99-908B-12A4DF4E7539}
2011-05-01 06:38:57 53461 ----a-w- c:\windows\null0.9752246029313907.exe
.
==================== Find3M ====================
.
2011-04-23 02:19:30 0 ----a-w- c:\windows\system32\null0.04899081622744639.exe
2011-04-19 00:00:29 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-04-18 22:07:20 879 ----a-w- c:\windows\system32\drivers\atmapi.sys
2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-17 01:05:36 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
.
============= FINISH: 17:22:55.45 ===============

Appears the dds attach file didn't to the last post

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 26 May 2011 - 05:53 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 28 May 2011 - 06:46 PM

Hi,

Please do the following


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT




Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Gaz957

Gaz957
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 29 May 2011 - 02:35 AM

Hi,

Thanks for taking the time to respond. I downloaded TDSSKiller as requested but it won't open: when I double clikc it User Account Control pops up (this is normal as far as I can tell) (if you started this program, continue), I press continue, the popup goes away and then nothing happens.

I decided to report this before running combofix.

In other news I can stop the ads playing out of my speakers by going to task manager and endin the process iexplore.exe which is usally quite obvious as it is using the most or second most memory of any process.

Thanks,

Gaz

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 29 May 2011 - 07:13 AM

OK

then, you will likely experience a similar issue with ComboFix, so download a fresh copy of ComboFix, but rename it to iexplore before saving it to your desktop

now boot into safe mode to run it:


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account



give TDSSKiller another try now,

post the resulting logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Gaz957

Gaz957
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 30 May 2011 - 01:42 AM

Hey,

I diabled my antivirus software and ran combo fix in safe mode as directed, the log is pasted below. After this I ran TDSSKiller again (both in safe and normal modes) and...essentially nothing happened, I'm not entirely sure what's up with that.

Thanks,

Gaz


ComboFix 11-05-29.01 - Richard 30/05/2011 15:15:51.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3326.2692 [GMT 9.5:30]
Running from: c:\users\Richard\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Richard\AppData\Roaming\39D0311C1966F6EA182A1E54494CAB0E
c:\users\Richard\AppData\Roaming\39D0311C1966F6EA182A1E54494CAB0E\enemies-names.txt
c:\users\Richard\AppData\Roaming\39D0311C1966F6EA182A1E54494CAB0E\local.ini
c:\users\Richard\AppData\Roaming\Adobe\plugs
c:\users\Richard\AppData\Roaming\Adobe\shed
c:\users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\users\Richard2\AppData\Roaming\Help\a.dll
c:\users\Richard2\AppData\Roaming\Help\CcvIkRbV.dll
c:\users\Richard2\AppData\Roaming\Help\coredb\storage
c:\users\Richard2\AppData\Roaming\Help\d.dll
c:\users\Richard2\AppData\Roaming\Help\dviFEumk.dll
c:\users\Richard2\AppData\Roaming\Help\hicOKLbA.dll
c:\users\Richard2\AppData\Roaming\Help\inURDFHn.dll
c:\users\Richard2\AppData\Roaming\Help\mRCbBxJD.dll
c:\users\Richard2\AppData\Roaming\Help\n.dll
c:\users\Richard2\AppData\Roaming\Help\o.dll
c:\users\Richard2\AppData\Roaming\Help\OEPFdaYb.dll
c:\users\Richard2\AppData\Roaming\Help\VvDIApad.dll
c:\windows\system32\drivers\atmapi.sys
c:\windows\system32\null0.04899081622744639.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
.
.
2011-05-30 05:50 . 2011-05-30 05:54 -------- d-----w- c:\users\Richard\AppData\Local\temp
2011-05-30 05:50 . 2011-05-30 05:50 -------- d-----w- c:\users\Richard2\AppData\Local\temp
2011-05-30 05:50 . 2011-05-30 05:50 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2011-05-30 05:50 . 2011-05-30 05:50 -------- d-----w- c:\users\Hilary\AppData\Local\temp
2011-05-30 05:50 . 2011-05-30 05:50 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-05-30 05:50 . 2011-05-30 05:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-30 05:50 . 2011-05-30 05:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-05-30 05:41 . 2011-05-30 05:42 -------- d-----w- C:\32788R22FWJFW
2011-05-26 08:33 . 2011-05-26 08:33 -------- d-----w- c:\program files\Common Files\Skype
2011-05-26 06:20 . 2011-05-26 06:20 -------- d-----w- c:\users\Richard\AppData\Roaming\Rovio
2011-05-25 22:49 . 2011-05-25 22:49 -------- d-----w- c:\users\Richard\AppData\Local\{C703DBCA-2A16-46F4-91DF-6C58E2A72930}
2011-05-25 07:04 . 2011-05-25 07:04 -------- d-----w- c:\users\Richard\AppData\Local\{C348EA99-C45D-434D-8B98-FF3EF0C3D99B}
2011-05-20 22:09 . 2011-05-25 22:45 -------- d-----w- c:\users\Richard\AppData\Roaming\Diez
2011-05-20 22:09 . 2011-05-25 06:16 -------- d-----w- c:\users\Richard\AppData\Roaming\Edtar
2011-05-20 02:31 . 2011-05-25 07:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-20 02:11 . 2011-05-20 02:11 -------- d-----w- c:\users\Hilary\AppData\Local\{55C252B9-6652-4079-8D04-AB864596E102}
2011-05-20 02:10 . 2011-05-20 02:10 -------- d-----w- c:\users\Hilary\AppData\Roaming\Malwarebytes
2011-05-20 00:54 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-05-20 00:53 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-20 00:53 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-20 00:53 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-05-20 00:53 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-05-20 00:53 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-05-20 00:53 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-20 00:53 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-20 00:53 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-20 00:53 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-20 00:52 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-05-20 00:52 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-05-20 00:52 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-05-20 00:52 . 2011-02-18 14:03 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-05-20 00:52 . 2011-02-18 14:03 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-05-20 00:51 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-20 00:41 . 2011-05-20 00:41 -------- d-----w- c:\users\Richard\AppData\Local\{837F772D-27CE-40BC-920E-AEDF41E6256E}
2011-05-18 14:43 . 2011-05-20 00:35 -------- d-----w- c:\users\Richard\AppData\Roaming\Erkyhi
2011-05-16 13:56 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{571AFDAF-9D08-46C5-97B4-6F5BAC7DF85A}\mpengine.dll
2011-05-16 13:42 . 2011-05-16 13:42 -------- d-----w- c:\users\Richard\AppData\Local\{89A9A1D9-05A2-41E6-A269-56B3CF643A6F}
2011-05-15 03:15 . 2011-05-15 03:15 -------- d-----w- c:\users\Richard\AppData\Roaming\Windows Live Writer
2011-05-15 03:15 . 2011-05-15 03:15 -------- d-----w- c:\users\Richard\AppData\Local\Windows Live Writer
2011-05-08 09:20 . 2011-05-08 09:20 -------- d-----w- c:\users\Richard\AppData\Roaming\MathWorks
2011-05-08 08:51 . 2004-02-11 04:07 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-05-08 08:51 . 2004-03-01 11:35 407104 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2011-05-08 08:51 . 2002-02-13 23:56 647872 ----a-w- c:\windows\system32\mscomct2.ocx
2011-05-08 08:29 . 2011-05-08 08:29 -------- d-----w- c:\program files\MATLAB
2011-05-08 08:15 . 2011-05-08 08:15 -------- d-----w- c:\programdata\Roxio
2011-05-08 08:15 . 2011-05-08 08:15 -------- d-----w- c:\users\Richard\AppData\Roaming\Roxio
2011-05-08 05:51 . 2011-05-08 05:51 -------- d-----w- c:\program files\uTorrent
2011-05-08 05:50 . 2011-05-26 06:20 -------- d-----w- c:\users\Richard\AppData\Roaming\uTorrent
2011-05-06 01:04 . 2011-05-06 01:04 -------- d-----w- c:\users\Richard\AppData\Local\{5A7D9953-A1FC-4D99-908B-12A4DF4E7539}
2011-05-01 06:38 . 2011-05-01 06:39 53461 ----a-w- c:\windows\null0.9752246029313907.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-17 01:05 . 2010-06-08 11:30 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-09 21:35 . 2010-06-24 01:03 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-04-14 16:41 . 2011-05-20 05:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-09 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-08-31 421160]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-02 847872]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-02 976320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-17 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Hilary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\RA Media Server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
c:\users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-23 07:35 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-673908370-2857469872-1017182818-1001]
"EnableNotificationsRef"=dword:00000001
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 136176]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2010-03-17 23888]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 136176]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-07-18 73728]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [2009-09-14 153600]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [2009-09-14 121856]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-07-21 27648]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-09 105592]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 13:03]
.
2011-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 13:03]
.
2011-05-29 c:\windows\Tasks\Norton Security Scan for Richard.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-23 17:53]
.
2011-05-30 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2009-07-23 11:18]
.
2011-05-30 c:\windows\Tasks\User_Feed_Synchronization-{C03989EA-8624-452B-ABDA-555E6CC06D18}.job
- c:\windows\system32\msfeedssync.exe [2011-05-20 02:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.231.203.132 192.231.203.3
FF - ProfilePath - c:\users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\j9rek780.default\
FF - prefs.js: browser.startup.homepage - hxxp://au.yahoo.com/|https://auth.adelaide.edu.au/login?service=https%3A%2F%2Funified.adelaide.edu.au%2Fc%2Fportal%2Flogin
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-cupddr24bet0.exe - c:\users\Richard\AppData\Roaming\39D0311C1966F6EA182A1E54494CAB0E\cupddr24bet0.exe
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
SafeBoot-Symantec Antvirus
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\RtHDVCpl.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-05-30 15:30:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-30 06:00
.
Pre-Run: 281,548,877,824 bytes free
Post-Run: 278,796,627,968 bytes free
.
- - End Of File - - D3ECDB0AAB61BDBB7F39591A1F7E7817

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 30 May 2011 - 02:01 AM

Hi,

Please do the following:



submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\windows\null0.9752246029313907.exe
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.



NEXT



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

DirLook::
c:\users\Richard\AppData\Roaming\Diez
c:\users\Richard\AppData\Roaming\Edtar
c:\users\Richard\AppData\Roaming\Erkyhi

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Try right clicking TDSSKiller and run as an administrator, see if that makes a difference

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Gaz957

Gaz957
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 30 May 2011 - 06:20 AM

Hi,

I don't know why, but when I slect the specified file in VirusTotal it says "null0.9752246029313907.exe You don't have permission to open this file. Contact the file owner or an administrator to obtain permission." Since I am using an administrator account and also tried the other administrator account, I am a little bit lost.

Running TDSSKiller as an adminstrator does nothing different.

I made the script as directed, the first time I ran it the computer froze up completely so I had to restart it (power button). The second time worked mostly fine and the log is posted below. However towards the end of the process many pop ups appeared in task manager they are called C:\PROGRA~1\Java\jre6\bin\ssvagent.exe and they say "Illegal operation on a registry key that has been marked for deletion" they appear to be open in internet explorer (thats the symbol that appears on the taskbar).

Thanks,

Gaz


ComboFix 11-05-29.01 - Richard 30/05/2011 20:05:50.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3326.2204 [GMT 9.5:30]
Running from: c:\users\Richard\Desktop\ComboFix.exe
Command switches used :: c:\users\Richard\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
.
.
2011-05-30 10:41 . 2011-05-30 10:41 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-05-30 10:41 . 2011-05-30 10:41 -------- d-----w- c:\users\Richard2\AppData\Local\temp
2011-05-30 10:41 . 2011-05-30 10:41 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2011-05-30 10:41 . 2011-05-30 10:41 -------- d-----w- c:\users\Hilary\AppData\Local\temp
2011-05-30 10:41 . 2011-05-30 10:41 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-05-30 10:41 . 2011-05-30 10:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-30 10:16 . 2011-05-30 10:16 -------- d-----w- c:\users\Richard\AppData\Local\{72DFBE12-D23D-4ED2-9241-631D997DAFF2}
2011-05-30 08:06 . 2011-05-30 08:06 -------- d-----w- c:\users\Hilary\AppData\Local\Mozilla
2011-05-30 07:59 . 2011-05-30 07:59 2855 ----a-w- c:\windows\null0.9752246029313907.PIF
2011-05-30 05:56 . 2011-05-30 05:56 -------- d-----w- c:\users\Richard\AppData\Local\{2726FFE4-2263-4A7D-AE72-CF745C7E6951}
2011-05-30 05:50 . 2011-05-30 10:43 -------- d-----w- c:\users\Richard\AppData\Local\temp
2011-05-26 08:33 . 2011-05-26 08:33 -------- d-----w- c:\program files\Common Files\Skype
2011-05-26 06:20 . 2011-05-26 06:20 -------- d-----w- c:\users\Richard\AppData\Roaming\Rovio
2011-05-25 22:49 . 2011-05-25 22:49 -------- d-----w- c:\users\Richard\AppData\Local\{C703DBCA-2A16-46F4-91DF-6C58E2A72930}
2011-05-25 07:04 . 2011-05-25 07:04 -------- d-----w- c:\users\Richard\AppData\Local\{C348EA99-C45D-434D-8B98-FF3EF0C3D99B}
2011-05-20 22:09 . 2011-05-25 22:45 -------- d-----w- c:\users\Richard\AppData\Roaming\Diez
2011-05-20 22:09 . 2011-05-25 06:16 -------- d-----w- c:\users\Richard\AppData\Roaming\Edtar
2011-05-20 02:31 . 2011-05-25 07:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-20 02:11 . 2011-05-20 02:11 -------- d-----w- c:\users\Hilary\AppData\Local\{55C252B9-6652-4079-8D04-AB864596E102}
2011-05-20 02:10 . 2011-05-20 02:10 -------- d-----w- c:\users\Hilary\AppData\Roaming\Malwarebytes
2011-05-20 00:54 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-05-20 00:53 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-20 00:53 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-20 00:53 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-05-20 00:53 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-05-20 00:53 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-05-20 00:53 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-20 00:53 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-20 00:53 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-20 00:53 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-20 00:52 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-05-20 00:52 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-05-20 00:52 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-05-20 00:52 . 2011-02-18 14:03 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-05-20 00:52 . 2011-02-18 14:03 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-05-20 00:51 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-20 00:41 . 2011-05-20 00:41 -------- d-----w- c:\users\Richard\AppData\Local\{837F772D-27CE-40BC-920E-AEDF41E6256E}
2011-05-18 14:43 . 2011-05-20 00:35 -------- d-----w- c:\users\Richard\AppData\Roaming\Erkyhi
2011-05-16 13:56 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{571AFDAF-9D08-46C5-97B4-6F5BAC7DF85A}\mpengine.dll
2011-05-16 13:42 . 2011-05-16 13:42 -------- d-----w- c:\users\Richard\AppData\Local\{89A9A1D9-05A2-41E6-A269-56B3CF643A6F}
2011-05-15 03:15 . 2011-05-15 03:15 -------- d-----w- c:\users\Richard\AppData\Roaming\Windows Live Writer
2011-05-15 03:15 . 2011-05-15 03:15 -------- d-----w- c:\users\Richard\AppData\Local\Windows Live Writer
2011-05-08 09:20 . 2011-05-08 09:20 -------- d-----w- c:\users\Richard\AppData\Roaming\MathWorks
2011-05-08 08:51 . 2004-02-11 04:07 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-05-08 08:51 . 2004-03-01 11:35 407104 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2011-05-08 08:51 . 2002-02-13 23:56 647872 ----a-w- c:\windows\system32\mscomct2.ocx
2011-05-08 08:29 . 2011-05-08 08:29 -------- d-----w- c:\program files\MATLAB
2011-05-08 08:15 . 2011-05-08 08:15 -------- d-----w- c:\programdata\Roxio
2011-05-08 08:15 . 2011-05-08 08:15 -------- d-----w- c:\users\Richard\AppData\Roaming\Roxio
2011-05-08 05:51 . 2011-05-08 05:51 -------- d-----w- c:\program files\uTorrent
2011-05-08 05:50 . 2011-05-26 06:20 -------- d-----w- c:\users\Richard\AppData\Roaming\uTorrent
2011-05-06 01:04 . 2011-05-06 01:04 -------- d-----w- c:\users\Richard\AppData\Local\{5A7D9953-A1FC-4D99-908B-12A4DF4E7539}
2011-05-01 06:38 . 2011-05-01 06:39 53461 ----a-w- c:\windows\null0.9752246029313907.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-30 10:46 . 2011-05-30 10:46 0 ---ha-w- c:\users\Richard\AppData\Local\BITF548.tmp
2011-04-17 01:05 . 2010-06-08 11:30 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-09 21:35 . 2010-06-24 01:03 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-04-14 16:41 . 2011-05-20 05:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Richard\AppData\Roaming\Diez ----
.
.
---- Directory of c:\users\Richard\AppData\Roaming\Edtar ----
.
.
---- Directory of c:\users\Richard\AppData\Roaming\Erkyhi ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-09 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-08-31 421160]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-02 847872]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-02 976320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-17 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Hilary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\RA Media Server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
c:\users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-23 07:35 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-673908370-2857469872-1017182818-1001]
"EnableNotificationsRef"=dword:00000001
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 136176]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2010-03-17 23888]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 136176]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-07-18 73728]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [2009-09-14 153600]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [2009-09-14 121856]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-07-21 27648]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-09 105592]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 13:03]
.
2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 13:03]
.
2011-05-30 c:\windows\Tasks\Norton Security Scan for Richard.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-23 17:53]
.
2011-05-30 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2009-07-23 11:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.231.203.132 192.231.203.3
FF - ProfilePath - c:\users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\j9rek780.default\
FF - prefs.js: browser.startup.homepage - hxxp://au.yahoo.com/|https://auth.adelaide.edu.au/login?service=https%3A%2F%2Funified.adelaide.edu.au%2Fc%2Fportal%2Flogin
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\RtHDVCpl.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-05-30 20:18:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-30 10:48
ComboFix2.txt 2011-05-30 06:00
.
Pre-Run: 279,317,721,088 bytes free
Post-Run: 279,300,431,872 bytes free
.
- - End Of File - - C789C6C874795C903663776FD8C26E0A

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 30 May 2011 - 03:58 PM

Hi

Please do this

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic399649.html/page__view__findpost__p__2269433

Collect::
c:\windows\null0.9752246029313907.exe

Folder::
c:\users\Richard\AppData\Roaming\Diez
c:\users\Richard\AppData\Roaming\Edtar
c:\users\Richard\AppData\Roaming\Erkyhi


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *volsnap*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Gaz957

Gaz957
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 31 May 2011 - 04:06 AM

Hi,

Ran the programs as directed. Found what I had been doing wrong in disabling my anti-virus.

No outstanding issues (that I can tell) to report.

Combofix log:

ComboFix 11-05-29.01 - Richard 31/05/2011 8:59.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3326.2358 [GMT 9.5:30]
Running from: c:\users\Richard\Desktop\ComboFix.exe
Command switches used :: c:\users\Richard\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\windows\null0.9752246029313907.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Richard\AppData\Roaming\Diez
c:\users\Richard\AppData\Roaming\Edtar
c:\users\Richard\AppData\Roaming\Erkyhi
c:\windows\null0.9752246029313907.exe
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-31 )))))))))))))))))))))))))))))))
.
.
2011-05-30 23:34 . 2011-05-31 00:42 -------- d-----w- c:\users\Hilary\AppData\Local\temp
2011-05-30 23:34 . 2011-05-30 23:34 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-05-30 23:34 . 2011-05-30 23:34 -------- d-----w- c:\users\Richard2\AppData\Local\temp
2011-05-30 23:34 . 2011-05-30 23:34 -------- d-----w- c:\users\Richard\AppData\Local\temp
2011-05-30 23:34 . 2011-05-30 23:34 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2011-05-30 23:34 . 2011-05-30 23:34 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-05-30 23:34 . 2011-05-30 23:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-30 23:19 . 2011-05-30 23:19 -------- d-----w- c:\users\Richard\AppData\Local\{4CDDF87D-8976-4178-8968-5CEEBD6787E3}
2011-05-30 10:45 . 2011-05-30 10:45 -------- d-----w- c:\users\Richard\AppData\Local\{C609B1C0-B701-403A-AAB4-3E05BE2B7C6C}
2011-05-30 10:16 . 2011-05-30 10:16 -------- d-----w- c:\users\Richard\AppData\Local\{72DFBE12-D23D-4ED2-9241-631D997DAFF2}
2011-05-30 08:06 . 2011-05-30 08:06 -------- d-----w- c:\users\Hilary\AppData\Local\Mozilla
2011-05-30 07:59 . 2011-05-30 07:59 2855 ----a-w- c:\windows\null0.9752246029313907.PIF
2011-05-30 05:56 . 2011-05-30 05:56 -------- d-----w- c:\users\Richard\AppData\Local\{2726FFE4-2263-4A7D-AE72-CF745C7E6951}
2011-05-26 08:33 . 2011-05-26 08:33 -------- d-----w- c:\program files\Common Files\Skype
2011-05-26 06:20 . 2011-05-26 06:20 -------- d-----w- c:\users\Richard\AppData\Roaming\Rovio
2011-05-25 22:49 . 2011-05-25 22:49 -------- d-----w- c:\users\Richard\AppData\Local\{C703DBCA-2A16-46F4-91DF-6C58E2A72930}
2011-05-25 07:04 . 2011-05-25 07:04 -------- d-----w- c:\users\Richard\AppData\Local\{C348EA99-C45D-434D-8B98-FF3EF0C3D99B}
2011-05-20 02:31 . 2011-05-25 07:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-20 02:11 . 2011-05-20 02:11 -------- d-----w- c:\users\Hilary\AppData\Local\{55C252B9-6652-4079-8D04-AB864596E102}
2011-05-20 02:10 . 2011-05-20 02:10 -------- d-----w- c:\users\Hilary\AppData\Roaming\Malwarebytes
2011-05-20 00:54 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-05-20 00:53 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-20 00:53 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-20 00:53 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-05-20 00:53 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-05-20 00:53 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-05-20 00:53 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-20 00:53 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-20 00:53 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-20 00:53 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-20 00:52 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-05-20 00:52 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-05-20 00:52 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-05-20 00:52 . 2011-02-18 14:03 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-05-20 00:52 . 2011-02-18 14:03 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-05-20 00:51 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-20 00:41 . 2011-05-20 00:41 -------- d-----w- c:\users\Richard\AppData\Local\{837F772D-27CE-40BC-920E-AEDF41E6256E}
2011-05-16 13:56 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{571AFDAF-9D08-46C5-97B4-6F5BAC7DF85A}\mpengine.dll
2011-05-16 13:42 . 2011-05-16 13:42 -------- d-----w- c:\users\Richard\AppData\Local\{89A9A1D9-05A2-41E6-A269-56B3CF643A6F}
2011-05-15 03:15 . 2011-05-15 03:15 -------- d-----w- c:\users\Richard\AppData\Roaming\Windows Live Writer
2011-05-15 03:15 . 2011-05-15 03:15 -------- d-----w- c:\users\Richard\AppData\Local\Windows Live Writer
2011-05-08 09:20 . 2011-05-08 09:20 -------- d-----w- c:\users\Richard\AppData\Roaming\MathWorks
2011-05-08 08:51 . 2004-02-11 04:07 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-05-08 08:51 . 2004-03-01 11:35 407104 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2011-05-08 08:51 . 2002-02-13 23:56 647872 ----a-w- c:\windows\system32\mscomct2.ocx
2011-05-08 08:29 . 2011-05-08 08:29 -------- d-----w- c:\program files\MATLAB
2011-05-08 08:15 . 2011-05-08 08:15 -------- d-----w- c:\programdata\Roxio
2011-05-08 08:15 . 2011-05-08 08:15 -------- d-----w- c:\users\Richard\AppData\Roaming\Roxio
2011-05-08 05:51 . 2011-05-08 05:51 -------- d-----w- c:\program files\uTorrent
2011-05-08 05:50 . 2011-05-26 06:20 -------- d-----w- c:\users\Richard\AppData\Roaming\uTorrent
2011-05-06 01:04 . 2011-05-06 01:04 -------- d-----w- c:\users\Richard\AppData\Local\{5A7D9953-A1FC-4D99-908B-12A4DF4E7539}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-17 01:05 . 2010-06-08 11:30 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-09 21:35 . 2010-06-24 01:03 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-04-14 16:41 . 2011-05-20 05:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
"EPSON WorkForce 520 Series"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIGIS.EXE" [2009-09-14 200704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-09 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-08-31 421160]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-02 847872]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-02 976320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-17 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Hilary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\RA Media Server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
c:\users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-23 07:35 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-673908370-2857469872-1017182818-1001]
"EnableNotificationsRef"=dword:00000001
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 136176]
R3 CFcatchme;CFcatchme;c:\users\Richard\AppData\Local\Temp\CFcatchme.sys [x]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2010-03-17 23888]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 136176]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-07-18 73728]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [2009-09-14 153600]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [2009-09-14 121856]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-07-21 27648]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-09 105592]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{552c8a7f-8e9f-11de-b750-0021705d5cce}]
\shell\AutoRun\command - K:\LaunchU3.exe -a
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e9c27e6-86e1-11de-a60d-0021705d5cce}]
\shell\AutoRun\command - J:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e9c27fa-86e1-11de-a60d-0021705d5cce}]
\shell\AutoRun\command - J:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{843c8ad4-10dc-11e0-8e3c-002170387bc8}]
\shell\AutoRun\command - J:\SETUP.EXE
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89e7438b-cf02-11de-ab72-0021705d5cce}]
\shell\AutoRun\command - j:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
\shell\open\command - j:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943184f9-271d-11df-8a64-002170387bc8}]
\shell\AutoRun\command - J:\AutoRun.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94318517-271d-11df-8a64-002170387bc8}]
\shell\AutoRun\command - J:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 13:03]
.
2011-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 13:03]
.
2011-05-30 c:\windows\Tasks\Norton Security Scan for Richard.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-23 17:53]
.
2011-05-31 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2009-07-23 11:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.abc.net.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.231.203.132 192.231.203.3
FF - ProfilePath - c:\users\Hilary\AppData\Roaming\Mozilla\Firefox\Profiles\f2z5tbhw.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\Malwarebytes' Anti-Malware\unins000.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\RtHDVCpl.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-31 10:16:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-31 00:46
ComboFix2.txt 2011-05-30 10:48
ComboFix3.txt 2011-05-30 06:00
.
Pre-Run: 278,133,698,560 bytes free
Post-Run: 278,089,658,368 bytes free
.
- - End Of File - - 9EC59FB8DC6B9373D74A8D73CA5FBBC8
Upload was successful

SystemLook log:

SystemLook 04.09.10 by jpshortstuff
Log created at 17:13 on 31/05/2011 by Richard
Administrator - Elevation successful

========== filefind ==========

Searching for "*volsnap*"
C:\Qoobox\Quarantine\C\Windows\System32\drivers\volsnap.sys.vir --a---- 226280 bytes [23:58 23/09/2009] [06:32 11/04/2009] E269BB33062F9A6B4115C86781D767AA
C:\Windows\inf\volsnap.inf --a---- 1790 bytes [10:25 02/11/2006] [10:25 02/11/2006] E5EE5E075DAB1367001C467C70E8C580
C:\Windows\inf\volsnap.PNF --a---- 4940 bytes [10:25 02/11/2006] [09:21 11/04/2009] 8BB59B2576993A142AF85BAC5D9995F7
C:\Windows\System32\drivers\volsnap.sys --a---- 226280 bytes [23:58 23/09/2009] [06:32 11/04/2009] 147281C01FCB1DF9252DE2A10D5E7093
C:\Windows\System32\drivers\en-US\volsnap.sys.mui --a---- 32768 bytes [02:25 21/01/2008] [02:25 21/01/2008] 2A3DEAD70397152006B4E3CED20B41C4
C:\Windows\System32\DriverStore\en-US\volsnap.inf_loc --a---- 198 bytes [12:41 02/11/2006] [12:41 02/11/2006] F040058B592FE682204B2FC15DDEAC0D
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_7eb8cdb5\volsnap.inf --a---- 1790 bytes [10:25 02/11/2006] [06:35 02/11/2006] E5EE5E075DAB1367001C467C70E8C580
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_7eb8cdb5\volsnap.PNF --a---- 4940 bytes [13:03 02/11/2006] [09:21 11/04/2009] F86E905420A12D5AAE107DBBC25E6A18
C:\Windows\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys --a---- 226280 bytes [23:58 23/09/2009] [06:32 11/04/2009] 147281C01FCB1DF9252DE2A10D5E7093
C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys --a---- 208488 bytes [10:25 02/11/2006] [09:51 02/11/2006] 11EF6C1CAEF76B685233450A126125D6
C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys --a---- 227896 bytes [02:23 21/01/2008] [02:23 21/01/2008] D8B4A53DD2769F226B3EB374374987C9
C:\Windows\winsxs\Manifests\x86_volsnap.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_112c68f98452eff6.manifest --a---- 1910 bytes [12:39 02/11/2006] [12:39 02/11/2006] 6AB82C548B2381F359B8494398B1A8E1
C:\Windows\winsxs\x86_volsnap.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_112c68f98452eff6\volsnap.inf_loc --a---- 198 bytes [12:41 02/11/2006] [12:41 02/11/2006] F040058B592FE682204B2FC15DDEAC0D
C:\Windows\winsxs\x86_volume.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_78ef883cc30a4c61\volsnap.sys.mui --a---- 14848 bytes [12:41 02/11/2006] [12:41 02/11/2006] F9B09F7E31E49004666C9B3EB0BEBD94
C:\Windows\winsxs\x86_volume.inf.resources_31bf3856ad364e35_6.0.6001.18000_en-us_7b264a38bff55d35\volsnap.sys.mui --a---- 32768 bytes [02:25 21/01/2008] [02:25 21/01/2008] 2A3DEAD70397152006B4E3CED20B41C4
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys --a---- 227896 bytes [02:23 21/01/2008] [02:23 21/01/2008] D8B4A53DD2769F226B3EB374374987C9
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys --a---- 226280 bytes [23:58 23/09/2009] [06:32 11/04/2009] 147281C01FCB1DF9252DE2A10D5E7093

-= EOF =-

Thanks,

Gaz

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 31 May 2011 - 03:43 PM

Hi

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Gaz957

Gaz957
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 01 June 2011 - 02:51 AM

Hi,

I ran malwarebytes as directed: nothing, but esetscan found some stuff.

Overnight (before your last reply was posted) I ran a full malwarebytes scan and a synmantec scan, the Mbam got nothing but synmantec picked up a number of threats.

I should say that the computer seems to be working fine.

mbam log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6738

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

1/06/2011 10:05:53 AM
mbam-log-2011-06-01 (10-05-53).txt

Scan type: Quick scan
Objects scanned: 214041
Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


esetscan log:

C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\0\33a8f380-2f1efe85 Java/Agent.BM trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\0\6685d300-204ae9ac Java/Exploit.CVE-2010-4452.A trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\10\4d70beca-1a04632a multiple threats
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\12\1c4baa4c-1d21b4ab a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\12\1c4baa4c-32414ea9 a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\12\1c4baa4c-4f97e371 a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\12\1c4baa4c-59825d11 a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\12\1c4baa4c-62afb014 a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\12\1c4baa4c-78543d5f a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\12\3cc664c-347620e5 probably a variant of Java/Exploit.CVE-2010-4452.A trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\16\44b8ef90-21107cc3 multiple threats
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\24\153893d8-731a774b a variant of Java/Exploit.CVE-2010-4452.A trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\26\655f59a-5b89ca7d Java/Agent.BN trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\3\7b540843-7f69595e a variant of Java/Agent.BP trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\33\248630a1-73133a17 Java/TrojanDownloader.OpenStream.NBV trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\34\7331f722-1b679d94 Java/Agent.BM trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\38\13f28da6-38783f11 multiple threats
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\38\1b3c1126-4d09bb1f Java/Exploit.CVE-2010-3562.A trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\45\69f346ad-481b0d18 a variant of Java/Agent.BP trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\60\260e507c-26a53a5f a variant of Java/Agent.BP trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\62\60d9c47e-218613d7 a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\$RECYCLE.BIN\S-1-5-21-673908370-2857469872-1017182818-1001\$R52IFXW\6.0\62\60d9c47e-7b24fb11 a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\Qoobox\Quarantine\C\Users\Richard\AppData\Roaming\39D0311C1966F6EA182A1E54494CAB0E\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Users\Richard\AppData\Roaming\39D0311C1966F6EA182A1E54494CAB0E\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Windows\System32\drivers\volsnap.sys.vir Win32/Olmasco.E trojan
C:\Users\Richard\Desktop\err.log20460747 a variant of Win32/Kryptik.ODQ trojan
C:\Users\Richard2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-3420b11b probably a variant of Java/Exploit.CVE-2010-4452.A trojan
C:\Users\Richard2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\1ce5817c-71fd3d2f multiple threats


Thanks,

Gaz

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 01 June 2011 - 06:08 PM

Hi, Please do the following:


locate the following file on your desktop > right click and delete it C:\Users\Richard\Desktop\err.log20460747


NEXT



Posted Image Your Java is out of date.
Java™ 6 Update 13 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT



Download TFC to your desktop
Mirror
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.


NEXT


Please post a fresh DDS Log and advise if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Gaz957

Gaz957
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 02 June 2011 - 12:35 AM

Hi,

Have done as directed.

The computer seems to be running fine.

DDS log:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Richard at 14:58:01 on 2011-06-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3326.2036 [GMT 9.5:30]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Richard\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\richard\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\richard\appdata\roaming\mozilla\firefox\profiles\j9rek780.default\
FF - prefs.js: browser.startup.homepage - hxxp://au.yahoo.com/|https://auth.adelaide.edu.au/login?service=https%3A%2F%2Funified.adelaide.edu.au%2Fc%2Fportal%2Flogin
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\richard\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-7-24 73728]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50ST7.EXE [2011-1-4 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50RP7.EXE [2011-1-4 121856]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-31 366640]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-7-23 27648]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-3-17 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-9 105592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-31 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-22 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-3-17 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-22 136176]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-02 05:26:29 -------- d-----w- c:\users\richard\appdata\local\{5994F81E-9888-44BC-A920-9D32587485D4}
2011-06-01 00:52:38 -------- d-----w- c:\program files\ESET
2011-05-31 08:39:03 -------- d-----w- c:\programdata\Skype Extras
2011-05-31 07:46:09 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-31 07:46:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-31 07:46:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-31 07:41:35 -------- d-----w- c:\users\richard\appdata\local\{D2C1B269-0227-462A-8E99-9AE6DF0F92B5}
2011-05-31 07:39:05 -------- d-----w- c:\users\richard\appdata\local\temp
2011-05-31 00:42:41 -------- d-----w- C:\$RECYCLE.BIN
2011-05-30 23:19:36 -------- d-----w- c:\users\richard\appdata\local\{4CDDF87D-8976-4178-8968-5CEEBD6787E3}
2011-05-30 10:45:09 -------- d-----w- c:\users\richard\appdata\local\{C609B1C0-B701-403A-AAB4-3E05BE2B7C6C}
2011-05-30 10:16:46 -------- d-----w- c:\users\richard\appdata\local\{72DFBE12-D23D-4ED2-9241-631D997DAFF2}
2011-05-30 07:59:22 2855 ----a-w- c:\windows\null0.9752246029313907.PIF
2011-05-30 05:56:30 -------- d-----w- c:\users\richard\appdata\local\{2726FFE4-2263-4A7D-AE72-CF745C7E6951}
2011-05-30 05:42:39 98816 ----a-w- c:\windows\sed.exe
2011-05-30 05:42:39 89088 ----a-w- c:\windows\MBR.exe
2011-05-30 05:42:39 256512 ----a-w- c:\windows\PEV.exe
2011-05-30 05:42:39 161792 ----a-w- c:\windows\SWREG.exe
2011-05-26 06:20:58 -------- d-----w- c:\users\richard\appdata\roaming\Rovio
2011-05-25 22:49:46 -------- d-----w- c:\users\richard\appdata\local\{C703DBCA-2A16-46F4-91DF-6C58E2A72930}
2011-05-25 07:04:34 -------- d-----w- c:\users\richard\appdata\local\{C348EA99-C45D-434D-8B98-FF3EF0C3D99B}
2011-05-20 02:31:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-20 00:54:28 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-05-20 00:53:20 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-20 00:53:16 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-20 00:53:16 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-05-20 00:53:11 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-05-20 00:53:10 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-05-20 00:53:05 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-20 00:53:05 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-20 00:53:04 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-20 00:53:04 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-20 00:52:58 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-05-20 00:52:58 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-05-20 00:52:53 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-05-20 00:52:53 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-05-20 00:52:52 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-05-20 00:51:57 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-20 00:41:11 -------- d-----w- c:\users\richard\appdata\local\{837F772D-27CE-40BC-920E-AEDF41E6256E}
2011-05-16 13:56:02 7071056 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{571afdaf-9d08-46c5-97b4-6f5bac7df85a}\mpengine.dll
2011-05-16 13:42:25 -------- d-----w- c:\users\richard\appdata\local\{89A9A1D9-05A2-41E6-A269-56B3CF643A6F}
2011-05-15 03:15:06 -------- d-----w- c:\users\richard\appdata\roaming\Windows Live Writer
2011-05-15 03:15:06 -------- d-----w- c:\users\richard\appdata\local\Windows Live Writer
2011-05-08 09:20:01 -------- d-----w- c:\users\richard\appdata\roaming\MathWorks
2011-05-08 08:51:16 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-05-08 08:51:15 407104 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2011-05-08 08:51:13 647872 ----a-w- c:\windows\system32\mscomct2.ocx
2011-05-08 08:29:50 -------- d-----w- c:\program files\MATLAB
2011-05-08 05:51:14 -------- d-----w- c:\program files\uTorrent
2011-05-08 05:50:38 -------- d-----w- c:\users\richard\appdata\roaming\uTorrent
2011-05-06 01:04:31 -------- d-----w- c:\users\richard\appdata\local\{5A7D9953-A1FC-4D99-908B-12A4DF4E7539}
.
==================== Find3M ====================
.
2011-04-17 01:05:36 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
.
============= FINISH: 14:58:57.53 ===============


Thanks,

Gaz

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 02 June 2011 - 09:26 AM

Hi,

Just some housekeeping to do now, please do the following:

You can delete the TDSSKiller, DDS and GMER logs and programs from your desktop:


NEXT


Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Download OTC to your desktop and run it
  • Click Yes to begin the Cleanup process to remove any remaining tools.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

If any logs remain after using this tool > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.


  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them

    Then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.


  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.





    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 20 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE


  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Edited by CatByte, 03 June 2011 - 09:53 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:59 PM

Posted 10 June 2011 - 01:52 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users