Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

another browser hijacked


  • This topic is locked This topic is locked
46 replies to this topic

#1 ndawelsh

ndawelsh

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 15 June 2011 - 11:05 AM

hi all i am new here had a browser hijacker for a while its got firefox and IE whenever I type into google it redirects blah blah. it also reloads the results page when i click a link.... heres the hijack this logs

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:53:44, on 15/06/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Spotmau\secretary\Spotmau_S.exe
C:\Program Files\Roxio 2010\5.0\CPMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\LGScsiCommandService.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MSN & Bing
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: LinkAirBrowserHelper HistoryTriggerBHO - {21A88CB9-84D2-4020-A2D1-B25A21034884} - C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAirBrowserHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SpotmauSecretary] C:\Program Files\Spotmau\secretary\Spotmau_S.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio 2010\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [B2C_AGENT] C:\Documents and Settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-R140M.exe" /REG /REGSVRMODE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Search - ?s=100000341&p=GRxdm036YYGB&si=40699&a=0u2yl.JGu.F26UKz.bYP3Q&n=2010072618
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\RazaWebHook32.dll/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.1.1
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\ixsso32.dll, C:\WINDOWS\system32\iologmsg32.dll, C:\WINDOWS\system32\ipmontr32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LG SCSI command service (LGScsiCommandService) - Mobile Leader Co.,Ltd. - C:\WINDOWS\system32\LGScsiCommandService.exe
O23 - Service: RoxMediaDB12 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe
O23 - Service: QoS RSVP (RSVP32) - Unknown owner - C:\WINDOWS\system32\jobexec32.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Syntek STK1150 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 15016 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 17 June 2011 - 08:21 PM

Hi,

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 ndawelsh

ndawelsh
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 June 2011 - 07:44 AM

as requested all 3 files attached thank you for your time.

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 18 June 2011 - 08:31 AM

Hi,

Please do the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 ndawelsh

ndawelsh
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 June 2011 - 09:40 AM

ok tdsskiller would not run so i carried on with combofix here is the log
ComboFix 11-06-17.04 - Administrator 18/06/2011 15:13:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3071.2590 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\hkey_local_machine.reg
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\extensions\{f8833913-a52a-4454-b2d9-569df4a26344}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\extensions\{f8833913-a52a-4454-b2d9-569df4a26344}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\extensions\{f8833913-a52a-4454-b2d9-569df4a26344}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\extensions\{f8833913-a52a-4454-b2d9-569df4a26344}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\extensions\{f8833913-a52a-4454-b2d9-569df4a26344}\install.rdf
c:\documents and settings\Administrator\Recent\Thumbs.db
c:\documents and settings\Administrator\WINDOWS
c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE
c:\program files\IEToolbar
C:\sysmon
c:\windows\system\WINSPOOL.DRV
c:\windows\system32\1056402210
c:\windows\system32\1056402210\new.i0.kwd
c:\windows\system32\1056402210\new.i1.kwd
c:\windows\system32\1056402210\new.i2.kwd
c:\windows\system32\1056402210\new.i3
c:\windows\system32\1056402210\new.i3.kwd
c:\windows\system32\1056402210\new.i4.kwd
c:\windows\system32\1056402210\new.i5.kwd
c:\windows\system32\1056402210\new.i6.kwd
c:\windows\system32\1056402210\new.i7.kwd
c:\windows\system32\325229018
c:\windows\system32\325229018\frt0.rar
c:\windows\system32\325229018\frt0.rar.ver
c:\windows\system32\325229018\frt1.rar
c:\windows\system32\325229018\frt1.rar.ver
c:\windows\system32\325229018\frt10.rar
c:\windows\system32\325229018\frt10.rar.ver
c:\windows\system32\325229018\frt11.rar
c:\windows\system32\325229018\frt11.rar.ver
c:\windows\system32\325229018\frt12.rar
c:\windows\system32\325229018\frt12.rar.ver
c:\windows\system32\325229018\frt13.rar
c:\windows\system32\325229018\frt13.rar.ver
c:\windows\system32\325229018\frt14.rar
c:\windows\system32\325229018\frt14.rar.ver
c:\windows\system32\325229018\frt15.rar
c:\windows\system32\325229018\frt15.rar.ver
c:\windows\system32\325229018\frt2.rar
c:\windows\system32\325229018\frt2.rar.ver
c:\windows\system32\325229018\frt3.rar
c:\windows\system32\325229018\frt3.rar.ver
c:\windows\system32\325229018\frt4.rar
c:\windows\system32\325229018\frt4.rar.ver
c:\windows\system32\325229018\frt5.rar
c:\windows\system32\325229018\frt5.rar.ver
c:\windows\system32\325229018\frt6.rar
c:\windows\system32\325229018\frt6.rar.ver
c:\windows\system32\325229018\frt7.rar
c:\windows\system32\325229018\frt7.rar.ver
c:\windows\system32\325229018\frt8.rar
c:\windows\system32\325229018\frt8.rar.ver
c:\windows\system32\325229018\frt9.rar
c:\windows\system32\325229018\frt9.rar.ver
c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll
.
c:\windows\system32\msgsvc.dll . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SSHNAS
.
.
((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))
.
.
2011-06-17 17:44 . 2011-06-17 17:44 -------- d-----w- c:\program files\Common Files\Skype
2011-06-17 17:44 . 2011-06-17 17:44 -------- d-----r- c:\program files\Skype
2011-06-15 15:51 . 2011-06-15 15:51 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-15 15:51 . 2011-06-15 15:51 -------- d-----w- c:\program files\Trend Micro
2011-06-14 16:33 . 2011-06-14 16:33 110080 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2011-06-14 16:33 . 2011-06-14 16:33 110080 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2011-06-14 16:33 . 2011-06-14 16:33 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2011-06-14 16:24 . 2011-06-14 16:33 -------- d-----w- C:\sh4ldr
2011-06-14 16:24 . 2011-06-14 16:24 -------- d-----w- c:\program files\Enigma Software Group
2011-06-14 16:23 . 2011-06-14 16:31 -------- d-----w- c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP
2011-06-14 16:23 . 2011-06-14 16:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-06-13 20:15 . 2011-06-13 20:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thinstall
2011-06-13 20:15 . 2011-06-13 20:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thinstall
2011-06-12 21:43 . 2011-06-12 21:43 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-11 13:30 . 2011-06-11 13:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinCare2009
2011-06-02 22:35 . 2011-06-11 11:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2011-06-02 22:35 . 2011-06-10 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-02 22:34 . 2011-06-17 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2011-06-02 22:33 . 2011-06-17 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-06-01 15:23 . 2011-06-01 15:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-01 15:22 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-01 15:22 . 2011-06-01 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-01 15:22 . 2011-06-16 07:31 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-05-31 20:06 . 2011-05-31 20:06 -------- d-----w- C:\LGMobileUpgrade
2011-05-31 19:58 . 2011-05-31 19:58 -------- d-----w- C:\ifx
2011-05-31 19:58 . 2010-05-12 11:23 16896 ---ha-w- c:\windows\system32\drivers\FlashUSB.sys
2011-05-31 19:58 . 2011-05-31 19:58 -------- d-----w- C:\LG_USB
2011-05-31 19:55 . 2006-05-04 07:33 53248 ---ha-w- c:\windows\system32\CommonDL.dll
2011-05-31 19:55 . 2005-10-04 00:39 44544 ---ha-w- c:\windows\system32\msxml4a.dll
2011-05-31 19:55 . 2011-05-31 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\LGMOBILEAX
2011-05-31 19:47 . 2011-05-31 19:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LG Electronics
2011-05-31 19:43 . 2011-05-31 19:46 -------- d--h--w- c:\program files\LG Electronics
2011-05-31 19:42 . 2010-03-05 09:50 47616 ---ha-r- c:\windows\system32\LGScsiCommandService.exe
2011-05-31 19:42 . 2009-09-23 07:05 24576 ---ha-r- c:\windows\system32\SendScsiCmd.dll
2011-05-29 11:33 . 2011-06-02 19:18 -------- d--h--w- c:\program files\Spybot - Search & Destroy
2011-05-29 11:33 . 2011-06-01 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-05-28 16:17 . 2009-10-29 07:46 78336 ---ha-w- c:\windows\system32\ieencode.dll
2011-05-28 16:17 . 2009-10-29 07:46 78336 ---ha-w- c:\windows\system32\dllcache\ieencode.dll
2011-05-26 17:58 . 2011-05-26 19:50 -------- d--h--w- c:\program files\Simple Port Forwarding
2011-05-26 17:58 . 2011-05-26 17:58 -------- d--h--w- c:\windows\Simple Port Forwarding
2011-05-26 16:43 . 2011-05-28 21:26 -------- d--h--w- c:\program files\PFConfig
2011-05-25 21:19 . 2011-05-25 21:19 -------- d--h--w- c:\program files\ipCmUEemp3bjZ5
2011-05-24 15:39 . 2011-05-24 15:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Spotmau
2011-05-22 17:33 . 2011-05-22 17:33 203776 --sh--w- c:\windows\system32\unrar.exe
2011-05-21 20:03 . 2011-06-03 16:27 -------- d--h--w- c:\program files\ElcomSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 21:42 . 2010-09-10 10:17 17480 ---ha-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-14 10:15 . 2011-05-14 10:11 270336 ---ha-w- c:\windows\IHelper.exe
2011-05-13 19:54 . 2011-05-13 19:54 573440 ---ha-w- c:\windows\uninstal.exe
2011-04-13 15:27 . 2011-04-13 15:27 0 ----a-w- c:\documents and settings\Administrator\ygjknvvdkm.tmp
2011-04-08 11:28 . 2011-04-08 11:28 41872 ---ha-w- c:\windows\system32\xfcodec.dll
2011-04-14 16:26 . 2011-05-29 11:17 142296 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2002-12-31 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-10-07 328056]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-05-01 107000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-05-26 15147400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-01 33624064]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SpotmauSecretary"="c:\program files\Spotmau\secretary\Spotmau_S.exe" [2009-11-25 627200]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" [2003-06-12 86016]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-06-15 404568]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-06-14 3021720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-12-27 303104]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2011-4-8 3510160]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2002-12-31 12:00 110592 ---ha-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser RiskMonitor]
2008-11-03 14:25 44192 ----a-w- c:\program files\East-Tec Eraser 2010\Launch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-05-30 04:42 5937984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-12-27 18:39 1242448 ---ha-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-10-07 13:38 328056 ---ha-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ---ha-w- c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\mohaa\\Medal.Of.Honour.Deluxe(djDEVASTATE™)\\moh_Breakthrough.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
"c:\\Program Files\\Simple Port Forwarding\\spf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [12/01/2011 22:43 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [12/01/2011 22:43 15856]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04/11/2010 19:36 697328]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [12/01/2011 22:43 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [02/06/2009 20:05 457200]
R2 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [31/05/2011 20:42 47616]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/05/2010 17:06 327064]
R2 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [27/12/2007 15:39 51816]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [16/11/2010 20:04 354176]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [13/05/2011 20:03 105592]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 08:11 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 08:11 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 08:11 12928]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [16/12/2009 20:08 1358720]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/01/2010 21:08 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [01/06/2011 16:22 366640]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [24/07/2009 09:33 219632]
S2 RSVP32;QoS RSVP ;c:\windows\system32\jobexec32.exe --> c:\windows\system32\jobexec32.exe [?]
S3 FlashUSB;FlashUSB;c:\windows\system32\drivers\FlashUSB.sys [31/05/2011 20:58 16896]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/01/2010 21:08 135664]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [10/10/2010 17:35 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [10/10/2010 17:35 11104]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [24/07/2009 09:33 1116656]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [15/11/2005 14:27 169200]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2010-09-19 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-04 15:41]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 20:08]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 20:08]
.
2011-06-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-LG LinkAir - (no file)
HKCU-Run-eMuleAutoStart - c:\program files\eMule\emule.exe
HKLM-Run-RegisterDropHandler - c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE
MSConfigStartUp-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-18 15:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-861567501-1563985344-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:4f,22,38,73,2f,af,8d,99,21,1e,b6,f0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3808)
c:\windows\system32\WININET.dll
c:\progra~1\TEXTBR~1.0\Bin\TBMHOOK.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\StkASv2K.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-18 15:31:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-18 14:31
.
Pre-Run: 65,082,855,424 bytes free
Post-Run: 65,430,392,832 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - A0DDC6F0C4FAF04DD5D809CB94BAEAE2


I then got tdsskiller to run and here is that log

2011/06/18 15:35:30.0046 1224 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/18 15:35:30.0218 1224 ================================================================================
2011/06/18 15:35:30.0218 1224 SystemInfo:
2011/06/18 15:35:30.0218 1224
2011/06/18 15:35:30.0218 1224 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/18 15:35:30.0218 1224 Product type: Workstation
2011/06/18 15:35:30.0218 1224 ComputerName: USER-E808115596
2011/06/18 15:35:30.0218 1224 UserName: Administrator
2011/06/18 15:35:30.0218 1224 Windows directory: C:\WINDOWS
2011/06/18 15:35:30.0218 1224 System windows directory: C:\WINDOWS
2011/06/18 15:35:30.0218 1224 Processor architecture: Intel x86
2011/06/18 15:35:30.0218 1224 Number of processors: 2
2011/06/18 15:35:30.0218 1224 Page size: 0x1000
2011/06/18 15:35:30.0218 1224 Boot type: Normal boot
2011/06/18 15:35:30.0218 1224 ================================================================================
2011/06/18 15:35:31.0218 1224 Initialize success
2011/06/18 15:35:35.0234 2612 ================================================================================
2011/06/18 15:35:35.0234 2612 Scan started
2011/06/18 15:35:35.0234 2612 Mode: Manual;
2011/06/18 15:35:35.0234 2612 ================================================================================
2011/06/18 15:35:36.0375 2612 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/18 15:35:36.0421 2612 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/18 15:35:36.0484 2612 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/18 15:35:36.0531 2612 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/06/18 15:35:36.0687 2612 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/06/18 15:35:36.0781 2612 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/18 15:35:36.0828 2612 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/18 15:35:36.0984 2612 ati2mtag (b63516824da0d8b9ad136e6e044a795f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/06/18 15:35:37.0093 2612 AtiHdmiService (eaece4a0d90d6e1fbe068cce9efd73a0) C:\WINDOWS\system32\drivers\AtiHdmi.sys
2011/06/18 15:35:37.0156 2612 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/18 15:35:37.0203 2612 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/18 15:35:37.0250 2612 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/18 15:35:37.0296 2612 BlueletAudio (5ff9a3f3476d726ae62da82d5da94c36) C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
2011/06/18 15:35:37.0359 2612 BlueletSCOAudio (bd91afc523fd59f881e1763c38fb772f) C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys
2011/06/18 15:35:37.0390 2612 BT (c5cce2b26f73f8cf7f3c82159e79aa08) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
2011/06/18 15:35:37.0437 2612 Btcsrusb (fb2abc6d08d9f8d5ed8e02cbd18b39bb) C:\WINDOWS\system32\Drivers\btcusb.sys
2011/06/18 15:35:37.0468 2612 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/06/18 15:35:37.0500 2612 BTHidEnum (ce643d0918123d76a5caab008fca9663) C:\WINDOWS\system32\Drivers\vbtenum.sys
2011/06/18 15:35:37.0515 2612 BTHidMgr (dfca4fe4c8aec786b4d0f432eb730f48) C:\WINDOWS\system32\Drivers\BTHidMgr.sys
2011/06/18 15:35:37.0562 2612 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/06/18 15:35:37.0656 2612 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/06/18 15:35:37.0718 2612 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/06/18 15:35:37.0781 2612 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/18 15:35:37.0828 2612 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/06/18 15:35:37.0953 2612 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/18 15:35:38.0000 2612 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/18 15:35:38.0046 2612 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/18 15:35:38.0171 2612 DgiVecp (a5034f77b278f07e224fe07cf98a8b76) C:\WINDOWS\system32\Drivers\DgiVecp.sys
2011/06/18 15:35:38.0171 2612 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/18 15:35:38.0250 2612 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/18 15:35:38.0328 2612 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/18 15:35:38.0359 2612 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/18 15:35:38.0390 2612 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/18 15:35:38.0421 2612 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/18 15:35:38.0562 2612 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/06/18 15:35:38.0593 2612 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/06/18 15:35:38.0687 2612 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/18 15:35:38.0750 2612 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/06/18 15:35:38.0750 2612 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/18 15:35:38.0796 2612 FlashUSB (5575ee5823de1558f8486eb4e33ffa99) C:\WINDOWS\system32\DRIVERS\FlashUSB.sys
2011/06/18 15:35:38.0812 2612 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/06/18 15:35:38.0843 2612 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/06/18 15:35:38.0890 2612 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/06/18 15:35:38.0984 2612 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/18 15:35:39.0031 2612 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/18 15:35:39.0078 2612 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/18 15:35:39.0140 2612 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/06/18 15:35:39.0187 2612 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/18 15:35:39.0281 2612 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/18 15:35:39.0328 2612 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/18 15:35:39.0375 2612 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/18 15:35:39.0453 2612 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/06/18 15:35:39.0468 2612 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/18 15:35:39.0562 2612 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/18 15:35:39.0609 2612 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/18 15:35:39.0656 2612 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/18 15:35:39.0703 2612 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/18 15:35:39.0718 2612 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/18 15:35:39.0750 2612 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/18 15:35:39.0875 2612 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/18 15:35:39.0906 2612 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/18 15:35:39.0968 2612 LgBttPort (4dd47b5af0b24871ebb9efc012a7474e) C:\WINDOWS\system32\DRIVERS\lgbtport.sys
2011/06/18 15:35:40.0000 2612 lgbusenum (1d038ca6c529203087a990e5e97887b4) C:\WINDOWS\system32\DRIVERS\lgbtbus.sys
2011/06/18 15:35:40.0046 2612 LGVMODEM (26f1976a330195d62a6224c76968cf0d) C:\WINDOWS\system32\DRIVERS\lgvmodem.sys
2011/06/18 15:35:40.0125 2612 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/18 15:35:40.0218 2612 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/18 15:35:40.0312 2612 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
2011/06/18 15:35:40.0375 2612 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/18 15:35:40.0421 2612 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/18 15:35:40.0484 2612 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/18 15:35:40.0500 2612 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/18 15:35:40.0562 2612 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/18 15:35:40.0578 2612 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/18 15:35:40.0625 2612 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/18 15:35:40.0656 2612 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/18 15:35:40.0656 2612 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/18 15:35:40.0703 2612 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/18 15:35:40.0750 2612 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/06/18 15:35:40.0843 2612 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/18 15:35:40.0906 2612 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/06/18 15:35:41.0062 2612 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110615.021\naveng.sys
2011/06/18 15:35:41.0156 2612 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110615.021\navex15.sys
2011/06/18 15:35:41.0609 2612 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/18 15:35:41.0781 2612 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/06/18 15:35:41.0812 2612 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/18 15:35:41.0968 2612 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/18 15:35:42.0125 2612 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/18 15:35:42.0265 2612 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/18 15:35:42.0328 2612 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/18 15:35:42.0343 2612 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/18 15:35:42.0406 2612 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/18 15:35:42.0453 2612 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/18 15:35:42.0500 2612 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/18 15:35:42.0546 2612 NVENETFD (70217a23470f4bb4c8fb4abe06813081) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/06/18 15:35:42.0578 2612 nvgts (ea98bfe4931bd13d747d647c1859796e) C:\WINDOWS\system32\DRIVERS\nvgts.sys
2011/06/18 15:35:42.0609 2612 nvnetbus (be8513730653384939a4d2d977c81027) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/06/18 15:35:42.0656 2612 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/18 15:35:42.0734 2612 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/18 15:35:42.0781 2612 PAC7302 (14191c739f2af6f9efeb58697535498f) C:\WINDOWS\system32\DRIVERS\PAC7302.SYS
2011/06/18 15:35:42.0843 2612 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/18 15:35:42.0875 2612 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/18 15:35:42.0937 2612 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/18 15:35:42.0984 2612 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/18 15:35:43.0015 2612 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/06/18 15:35:43.0046 2612 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/18 15:35:43.0156 2612 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/18 15:35:43.0218 2612 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/06/18 15:35:43.0250 2612 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/18 15:35:43.0250 2612 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/18 15:35:43.0328 2612 pwdrvio (c50de6d0c04b230f185a13fde0f047fa) C:\WINDOWS\system32\pwdrvio.sys
2011/06/18 15:35:43.0375 2612 pwdspio (cdc5704308222400ad606bcf87b006a5) C:\WINDOWS\system32\pwdspio.sys
2011/06/18 15:35:43.0437 2612 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/18 15:35:43.0515 2612 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/18 15:35:43.0578 2612 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/18 15:35:43.0625 2612 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/18 15:35:43.0625 2612 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/18 15:35:43.0656 2612 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/18 15:35:43.0656 2612 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/18 15:35:43.0718 2612 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/18 15:35:43.0765 2612 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/18 15:35:43.0796 2612 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/18 15:35:43.0890 2612 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/06/18 15:35:43.0937 2612 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/06/18 15:35:44.0015 2612 RT73 (c7bcf9808e2a1b4cabe16ff7fbce5fab) C:\WINDOWS\system32\DRIVERS\rt73.sys
2011/06/18 15:35:44.0078 2612 SahdIa32 (0b2d5d2341437d7d7e1a6c7bbce3786a) C:\WINDOWS\system32\Drivers\SahdIa32.sys
2011/06/18 15:35:44.0125 2612 SaibIa32 (7a5f65b16249af2bc9d18d815f5d7172) C:\WINDOWS\system32\Drivers\SaibIa32.sys
2011/06/18 15:35:44.0156 2612 SaibVd32 (e333c9515822de586a3ff759a0c9b7bf) C:\WINDOWS\system32\Drivers\SaibVd32.sys
2011/06/18 15:35:44.0250 2612 SAVRT (21ba125b956a513f85f6ab1dd603f917) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/06/18 15:35:44.0250 2612 SAVRTPEL (0f8e1c05fc1298f8e7cea935429f66ff) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/06/18 15:35:44.0312 2612 SCDEmu (e7daf42e58f66c1539a68ef462f64027) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/06/18 15:35:44.0390 2612 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/18 15:35:44.0437 2612 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/18 15:35:44.0453 2612 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/18 15:35:44.0484 2612 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/18 15:35:44.0546 2612 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/06/18 15:35:44.0703 2612 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/06/18 15:35:44.0781 2612 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/18 15:35:44.0843 2612 sptd (c4bb8a12843d9cbb65f5ff617f389bbd) C:\WINDOWS\system32\Drivers\sptd.sys
2011/06/18 15:35:44.0843 2612 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: c4bb8a12843d9cbb65f5ff617f389bbd
2011/06/18 15:35:44.0859 2612 sptd - detected LockedFile.Multi.Generic (1)
2011/06/18 15:35:44.0906 2612 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/18 15:35:44.0937 2612 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/18 15:35:45.0000 2612 ss_bus (5a1d0ca8a5f1e7b4ec50b9d76c001f0e) C:\WINDOWS\system32\DRIVERS\ss_bus.sys
2011/06/18 15:35:45.0046 2612 ss_mdfl (f0a85580e36a3a85059037d39a9cf079) C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
2011/06/18 15:35:45.0125 2612 ss_mdm (84c3dbfd1bfa4adc0a950b3d5506cb00) C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
2011/06/18 15:35:45.0140 2612 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
2011/06/18 15:35:45.0203 2612 StkAMini (69a926dbca12046633e3d6e6d46e7087) C:\WINDOWS\system32\Drivers\StkAMini.sys
2011/06/18 15:35:45.0250 2612 StkScan (83406fb18cb0abfec501add986d63572) C:\WINDOWS\system32\Drivers\StkScan.sys
2011/06/18 15:35:45.0296 2612 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/06/18 15:35:45.0375 2612 supersafer (28f0f7f8e4c9039289c80ca1385bc4b7) C:\WINDOWS\system32\drivers\supersafer.sys
2011/06/18 15:35:45.0421 2612 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/18 15:35:45.0468 2612 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/18 15:35:45.0625 2612 SymEvent (9c4737086dee2d302d5d2d69478f6611) C:\Program Files\Symantec\SYMEVENT.SYS
2011/06/18 15:35:45.0656 2612 SYMREDRV (c1bbd1d20acc5ecadca086228ad52bdd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/06/18 15:35:45.0671 2612 SYMTDI (9bf7fddab95f8aabc361774dc844f755) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/06/18 15:35:45.0718 2612 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/18 15:35:45.0781 2612 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/18 15:35:45.0843 2612 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/18 15:35:45.0890 2612 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/18 15:35:45.0937 2612 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/18 15:35:46.0015 2612 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/18 15:35:46.0078 2612 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/18 15:35:46.0109 2612 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/06/18 15:35:46.0156 2612 usbbus (af9388e736af0c325067f05edc350010) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/06/18 15:35:46.0187 2612 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/18 15:35:46.0250 2612 UsbDiag (ae30ea96e60e823c7b525da356283ae8) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/06/18 15:35:46.0265 2612 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/18 15:35:46.0296 2612 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/18 15:35:46.0328 2612 USBModem (46ac66df3d6efe81f69bea823a53aab5) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/06/18 15:35:46.0343 2612 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/06/18 15:35:46.0375 2612 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/18 15:35:46.0453 2612 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/18 15:35:46.0484 2612 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/18 15:35:46.0515 2612 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\WINDOWS\system32\DRIVERS\VClone.sys
2011/06/18 15:35:46.0562 2612 VComm (51750b0539986186c6931fc40d171521) C:\WINDOWS\system32\DRIVERS\VComm.sys
2011/06/18 15:35:46.0609 2612 VcommMgr (6d9c891c0a761afed1f3609c2e56f2b9) C:\WINDOWS\system32\Drivers\VcommMgr.sys
2011/06/18 15:35:46.0687 2612 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/18 15:35:46.0765 2612 VIAHdAudAddService (242a8309b952f7ca9e220d3439955b0e) C:\WINDOWS\system32\drivers\viahduaa.sys
2011/06/18 15:35:46.0843 2612 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/18 15:35:46.0937 2612 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/18 15:35:47.0000 2612 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/18 15:35:47.0093 2612 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/06/18 15:35:47.0156 2612 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/06/18 15:35:47.0203 2612 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/18 15:35:47.0265 2612 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/06/18 15:35:47.0359 2612 MBR (0x1B8) (982476a8461916264482b1d4f99f9ca8) \Device\Harddisk1\DR1
2011/06/18 15:35:47.0968 2612 ================================================================================
2011/06/18 15:35:47.0968 2612 Scan finished
2011/06/18 15:35:47.0968 2612 ================================================================================
2011/06/18 15:35:47.0984 3644 Detected object count: 1
2011/06/18 15:35:47.0984 3644 Actual detected object count: 1
2011/06/18 15:36:03.0187 3644 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/06/18 15:36:12.0046 1480 Deinitialize success

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 18 June 2011 - 10:55 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP

File::
c:\documents and settings\Administrator\ygjknvvdkm.tmp

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 ndawelsh

ndawelsh
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 June 2011 - 01:27 PM

ComboFix 11-06-17.04 - Administrator 18/06/2011 19:09:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3071.2410 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Administrator\ygjknvvdkm.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\ygjknvvdkm.tmp
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla11.exe
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCall.dll
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCalla.dll
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCalla17.dll
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCalla18.exe
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCalla19.dll
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCalla2.dll
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCalla20.dll
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCalla21.dll
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseCustomCalla21.exe
c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP\WiseData.ini
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))
.
.
2011-06-18 18:02 . 2011-06-18 18:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2011-06-18 18:02 . 2011-06-18 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-06-17 17:44 . 2011-06-17 17:44 -------- d-----w- c:\program files\Common Files\Skype
2011-06-17 17:44 . 2011-06-17 17:44 -------- d-----r- c:\program files\Skype
2011-06-15 15:51 . 2011-06-15 15:51 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-15 15:51 . 2011-06-15 15:51 -------- d-----w- c:\program files\Trend Micro
2011-06-14 16:33 . 2011-06-14 16:33 110080 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2011-06-14 16:33 . 2011-06-14 16:33 110080 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2011-06-14 16:24 . 2011-06-14 16:33 -------- d-----w- C:\sh4ldr
2011-06-14 16:24 . 2011-06-14 16:24 -------- d-----w- c:\program files\Enigma Software Group
2011-06-14 16:23 . 2011-06-14 16:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-06-13 20:15 . 2011-06-13 20:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thinstall
2011-06-13 20:15 . 2011-06-13 20:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thinstall
2011-06-12 21:43 . 2011-06-12 21:43 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-11 13:30 . 2011-06-11 13:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinCare2009
2011-06-02 22:35 . 2011-06-11 11:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2011-06-02 22:35 . 2011-06-10 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-02 22:34 . 2011-06-17 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2011-06-02 22:33 . 2011-06-17 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-06-01 15:23 . 2011-06-01 15:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-01 15:22 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-01 15:22 . 2011-06-01 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-01 15:22 . 2011-06-16 07:31 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-05-31 20:06 . 2011-05-31 20:06 -------- d-----w- C:\LGMobileUpgrade
2011-05-31 19:58 . 2011-05-31 19:58 -------- d-----w- C:\ifx
2011-05-31 19:58 . 2010-05-12 11:23 16896 ---ha-w- c:\windows\system32\drivers\FlashUSB.sys
2011-05-31 19:58 . 2011-05-31 19:58 -------- d-----w- C:\LG_USB
2011-05-31 19:55 . 2006-05-04 07:33 53248 ---ha-w- c:\windows\system32\CommonDL.dll
2011-05-31 19:55 . 2005-10-04 00:39 44544 ---ha-w- c:\windows\system32\msxml4a.dll
2011-05-31 19:55 . 2011-05-31 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\LGMOBILEAX
2011-05-31 19:47 . 2011-05-31 19:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LG Electronics
2011-05-31 19:43 . 2011-05-31 19:46 -------- d--h--w- c:\program files\LG Electronics
2011-05-31 19:42 . 2010-03-05 09:50 47616 ---ha-r- c:\windows\system32\LGScsiCommandService.exe
2011-05-31 19:42 . 2009-09-23 07:05 24576 ---ha-r- c:\windows\system32\SendScsiCmd.dll
2011-05-29 11:33 . 2011-06-02 19:18 -------- d--h--w- c:\program files\Spybot - Search & Destroy
2011-05-29 11:33 . 2011-06-01 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-05-28 16:17 . 2009-10-29 07:46 78336 ---ha-w- c:\windows\system32\ieencode.dll
2011-05-28 16:17 . 2009-10-29 07:46 78336 ---ha-w- c:\windows\system32\dllcache\ieencode.dll
2011-05-26 17:58 . 2011-05-26 19:50 -------- d--h--w- c:\program files\Simple Port Forwarding
2011-05-26 17:58 . 2011-05-26 17:58 -------- d--h--w- c:\windows\Simple Port Forwarding
2011-05-26 16:43 . 2011-05-28 21:26 -------- d--h--w- c:\program files\PFConfig
2011-05-25 21:19 . 2011-05-25 21:19 -------- d--h--w- c:\program files\ipCmUEemp3bjZ5
2011-05-24 15:39 . 2011-05-24 15:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Spotmau
2011-05-22 17:33 . 2011-05-22 17:33 203776 --sh--w- c:\windows\system32\unrar.exe
2011-05-21 20:03 . 2011-06-03 16:27 -------- d--h--w- c:\program files\ElcomSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 21:42 . 2010-09-10 10:17 17480 ---ha-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-14 10:15 . 2011-05-14 10:11 270336 ---ha-w- c:\windows\IHelper.exe
2011-05-13 19:54 . 2011-05-13 19:54 573440 ---ha-w- c:\windows\uninstal.exe
2011-04-08 11:28 . 2011-04-08 11:28 41872 ---ha-w- c:\windows\system32\xfcodec.dll
2011-04-14 16:26 . 2011-05-29 11:17 142296 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2002-12-31 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-10-07 328056]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-05-01 107000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-05-26 15147400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-01 33624064]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SpotmauSecretary"="c:\program files\Spotmau\secretary\Spotmau_S.exe" [2009-11-25 627200]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" [2003-06-12 86016]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-06-15 404568]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-06-14 3021720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-12-27 303104]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2011-4-8 3510160]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2002-12-31 12:00 110592 ---ha-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser RiskMonitor]
2008-11-03 14:25 44192 ----a-w- c:\program files\East-Tec Eraser 2010\Launch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-05-30 04:42 5937984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-12-27 18:39 1242448 ---ha-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-10-07 13:38 328056 ---ha-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ---ha-w- c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\mohaa\\Medal.Of.Honour.Deluxe(djDEVASTATE™)\\moh_Breakthrough.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
"c:\\Program Files\\Simple Port Forwarding\\spf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [12/01/2011 22:43 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [12/01/2011 22:43 15856]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04/11/2010 19:36 697328]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [12/01/2011 22:43 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [02/06/2009 20:05 457200]
R2 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [31/05/2011 20:42 47616]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/05/2010 17:06 327064]
R2 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [27/12/2007 15:39 51816]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [16/11/2010 20:04 354176]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 08:11 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 08:11 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 08:11 12928]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [16/12/2009 20:08 1358720]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/01/2010 21:08 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [01/06/2011 16:22 366640]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [24/07/2009 09:33 219632]
S2 RSVP32;QoS RSVP ;c:\windows\system32\jobexec32.exe --> c:\windows\system32\jobexec32.exe [?]
S3 FlashUSB;FlashUSB;c:\windows\system32\drivers\FlashUSB.sys [31/05/2011 20:58 16896]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/01/2010 21:08 135664]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [10/10/2010 17:35 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [10/10/2010 17:35 11104]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [24/07/2009 09:33 1116656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2010-09-19 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-04 15:41]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 20:08]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 20:08]
.
2011-06-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-18 19:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-861567501-1563985344-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:4f,22,38,73,2f,af,8d,99,21,1e,b6,f0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3892)
c:\windows\system32\WININET.dll
c:\program files\Xfire\xfire_toucan_44183.dll
c:\progra~1\TEXTBR~1.0\Bin\TBMHOOK.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\StkASv2K.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2011-06-18 19:23:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-18 18:23
ComboFix2.txt 2011-06-18 14:31
.
Pre-Run: 66,110,255,104 bytes free
Post-Run: 66,101,305,344 bytes free
.
- - End Of File - - 097F7D2F0C88FF968BFF7C2E16D0D6D1


doing second stage now malwarebites

#8 ndawelsh

ndawelsh
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 June 2011 - 01:57 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6888

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

18/06/2011 19:31:17
mbam-log-2011-06-18 (19-31-17).txt

Scan type: Quick scan
Objects scanned: 153107
Time elapsed: 2 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 ndawelsh

ndawelsh
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 June 2011 - 02:45 PM

eset scan


C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\4fc58734-488420c2 a variant of Java/Exploit.Agent.NAL trojan
C:\Program Files\ipCmUEemp3bjZ5\URGyZsbIq.cpl a variant of Win32/Sefnit.BE trojan
C:\Program Files\IWONGEI\Installr\1.bin\9uEIPlug.dll a variant of Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\extensions\{f8833913-a52a-4454-b2d9-569df4a26344}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan

Edited by ndawelsh, 18 June 2011 - 02:46 PM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 18 June 2011 - 04:09 PM

Hi

Please do the following:

first: show hidden files and folders

  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.


Next: Navigate to the following file

c:\windows\system32\winlogon.exe

right click on winlogon.exe > rename it to winlogon.exe.vir

wait five seconds, then press F5 to refresh

windows file protection should create a new, clean winlogon

Make certain a new winlogon.exe is created, if it isn't, you will have to rename the infected one back from winlogon.exe.vir to winlogon.exe


now run ComboFix with the following script:(don't reboot)


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic403968.html/page__view__findpost__p__2297882

Collect::
C:\Program Files\ipCmUEemp3bjZ5\URGyZsbIq.cpl 
C:\Program Files\IWONGEI\Installr\1.bin\9uEIPlug.dll 

File::
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\4fc58734-488420c2 


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 ndawelsh

ndawelsh
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 June 2011 - 04:48 PM

new combo fix

ComboFix 11-06-17.04 - Administrator 18/06/2011 22:29:22.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3071.2284 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\4fc58734-488420c2"
.
file zipped: c:\program files\ipCmUEemp3bjZ5\URGyZsbIq.cpl
file zipped: c:\program files\IWONGEI\Installr\1.bin\9uEIPlug.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\4fc58734-488420c2
c:\program files\ipCmUEemp3bjZ5\URGyZsbIq.cpl
c:\program files\IWONGEI\Installr\1.bin\9uEIPlug.dll
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))
.
.
2011-06-18 18:59 . 2011-06-18 18:59 -------- d-----w- c:\program files\ESET
2011-06-18 18:02 . 2011-06-18 18:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2011-06-18 18:02 . 2011-06-18 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-06-17 17:44 . 2011-06-17 17:44 -------- d-----w- c:\program files\Common Files\Skype
2011-06-17 17:44 . 2011-06-17 17:44 -------- d-----r- c:\program files\Skype
2011-06-15 15:51 . 2011-06-15 15:51 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-15 15:51 . 2011-06-15 15:51 -------- d-----w- c:\program files\Trend Micro
2011-06-14 16:33 . 2011-06-14 16:33 110080 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2011-06-14 16:33 . 2011-06-14 16:33 110080 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2011-06-14 16:24 . 2011-06-14 16:33 -------- d-----w- C:\sh4ldr
2011-06-14 16:24 . 2011-06-14 16:24 -------- d-----w- c:\program files\Enigma Software Group
2011-06-14 16:23 . 2011-06-14 16:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-06-13 20:15 . 2011-06-13 20:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thinstall
2011-06-13 20:15 . 2011-06-13 20:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thinstall
2011-06-12 21:43 . 2011-06-12 21:43 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-11 13:30 . 2011-06-11 13:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinCare2009
2011-06-02 22:35 . 2011-06-11 11:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2011-06-02 22:35 . 2011-06-10 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-02 22:34 . 2011-06-17 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2011-06-02 22:33 . 2011-06-17 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-06-01 15:23 . 2011-06-01 15:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-01 15:22 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-01 15:22 . 2011-06-01 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-01 15:22 . 2011-06-16 07:31 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-05-31 20:06 . 2011-05-31 20:06 -------- d-----w- C:\LGMobileUpgrade
2011-05-31 19:58 . 2011-05-31 19:58 -------- d-----w- C:\ifx
2011-05-31 19:58 . 2010-05-12 11:23 16896 ---ha-w- c:\windows\system32\drivers\FlashUSB.sys
2011-05-31 19:58 . 2011-05-31 19:58 -------- d-----w- C:\LG_USB
2011-05-31 19:55 . 2006-05-04 07:33 53248 ---ha-w- c:\windows\system32\CommonDL.dll
2011-05-31 19:55 . 2005-10-04 00:39 44544 ---ha-w- c:\windows\system32\msxml4a.dll
2011-05-31 19:55 . 2011-05-31 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\LGMOBILEAX
2011-05-31 19:47 . 2011-05-31 19:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LG Electronics
2011-05-31 19:43 . 2011-05-31 19:46 -------- d--h--w- c:\program files\LG Electronics
2011-05-31 19:42 . 2010-03-05 09:50 47616 ---ha-r- c:\windows\system32\LGScsiCommandService.exe
2011-05-31 19:42 . 2009-09-23 07:05 24576 ---ha-r- c:\windows\system32\SendScsiCmd.dll
2011-05-29 11:33 . 2011-06-02 19:18 -------- d--h--w- c:\program files\Spybot - Search & Destroy
2011-05-29 11:33 . 2011-06-01 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-05-28 16:17 . 2009-10-29 07:46 78336 ---ha-w- c:\windows\system32\ieencode.dll
2011-05-28 16:17 . 2009-10-29 07:46 78336 ---ha-w- c:\windows\system32\dllcache\ieencode.dll
2011-05-26 17:58 . 2011-05-26 19:50 -------- d--h--w- c:\program files\Simple Port Forwarding
2011-05-26 17:58 . 2011-05-26 17:58 -------- d--h--w- c:\windows\Simple Port Forwarding
2011-05-26 16:43 . 2011-05-28 21:26 -------- d--h--w- c:\program files\PFConfig
2011-05-25 21:19 . 2011-06-18 21:33 -------- d--h--w- c:\program files\ipCmUEemp3bjZ5
2011-05-24 15:39 . 2011-05-24 15:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Spotmau
2011-05-22 17:33 . 2011-05-22 17:33 203776 --sh--w- c:\windows\system32\unrar.exe
2011-05-21 20:03 . 2011-06-03 16:27 -------- d--h--w- c:\program files\ElcomSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 21:42 . 2010-09-10 10:17 17480 ---ha-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-14 10:15 . 2011-05-14 10:11 270336 ---ha-w- c:\windows\IHelper.exe
2011-05-13 19:54 . 2011-05-13 19:54 573440 ---ha-w- c:\windows\uninstal.exe
2011-04-08 11:28 . 2011-04-08 11:28 41872 ---ha-w- c:\windows\system32\xfcodec.dll
2011-04-14 16:26 . 2011-05-29 11:17 142296 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2002-12-31 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-10-07 328056]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-05-01 107000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-05-26 15147400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-01 33624064]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SpotmauSecretary"="c:\program files\Spotmau\secretary\Spotmau_S.exe" [2009-11-25 627200]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" [2003-06-12 86016]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-06-15 404568]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-06-14 3021720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-12-27 303104]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2011-4-8 3510160]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2002-12-31 12:00 110592 ---ha-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser RiskMonitor]
2008-11-03 14:25 44192 ----a-w- c:\program files\East-Tec Eraser 2010\Launch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-05-30 04:42 5937984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-12-27 18:39 1242448 ---ha-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-10-07 13:38 328056 ---ha-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ---ha-w- c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\mohaa\\Medal.Of.Honour.Deluxe(djDEVASTATE™)\\moh_Breakthrough.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
"c:\\Program Files\\Simple Port Forwarding\\spf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [12/01/2011 22:43 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [12/01/2011 22:43 15856]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04/11/2010 19:36 697328]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [12/01/2011 22:43 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [02/06/2009 20:05 457200]
R2 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [31/05/2011 20:42 47616]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/05/2010 17:06 327064]
R2 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [27/12/2007 15:39 51816]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [16/11/2010 20:04 354176]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 08:11 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 08:11 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 08:11 12928]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [16/12/2009 20:08 1358720]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/01/2010 21:08 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [01/06/2011 16:22 366640]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [24/07/2009 09:33 219632]
S2 RSVP32;QoS RSVP ;c:\windows\system32\jobexec32.exe --> c:\windows\system32\jobexec32.exe [?]
S3 FlashUSB;FlashUSB;c:\windows\system32\drivers\FlashUSB.sys [31/05/2011 20:58 16896]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/01/2010 21:08 135664]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [10/10/2010 17:35 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [10/10/2010 17:35 11104]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [24/07/2009 09:33 1116656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2010-09-19 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-04 15:41]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 20:08]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 20:08]
.
2011-06-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1e4x8af1.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-18 22:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-861567501-1563985344-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,bb,57,0e,42,cb,03,42,b7,03,d1,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:4f,22,38,73,2f,af,8d,99,21,1e,b6,f0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3620)
c:\windows\system32\WININET.dll
c:\program files\Xfire\xfire_toucan_44183.dll
c:\progra~1\TEXTBR~1.0\Bin\TBMHOOK.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\StkASv2K.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2011-06-18 22:44:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-18 21:44
ComboFix2.txt 2011-06-18 18:23
ComboFix3.txt 2011-06-18 14:31
.
Pre-Run: 65,998,024,704 bytes free
Post-Run: 65,991,786,496 bytes free
.
- - End Of File - - 7EBDB3D07023A130F83BCB42DAE63FA4
Upload was successful

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 18 June 2011 - 04:55 PM

Hi

The windows file protection trick doesn't appear to have worked,

so let's look for another replacement


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *winlogon*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 ndawelsh

ndawelsh
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 June 2011 - 04:57 PM

SystemLook 04.09.10 by jpshortstuff
Log created at 22:56 on 18/06/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "*winlogon*"
C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf --a---- 130090 bytes [22:47 04/06/2011] [21:38 18/06/2011] 47DC32DD986F826500AE77CA1BBD417A
C:\WINDOWS\system32\winlogon.exe --ah--- 507904 bytes [12:00 31/12/2002] [12:00 31/12/2002] 679A7259741F6A09994F02CE261B5F2E

-= EOF =-

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 18 June 2011 - 05:02 PM

did you do the renaming of winlogon?

as it's not finding the renamed one?


Please give it another try

show the hidden extensions as you did before

navigate to the c:\windows\system32 folder

find winlogon.exe

right click it and rename it to winlogon.exe.old

say YES to all the warnings

now wait five seconds, then press F5 to refresh

a new winlogon.exe should generate

if it does, please re run combofix

if it does not, then name winlogon.exe.old back to winlogon.exe and let me know

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 ndawelsh

ndawelsh
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 June 2011 - 05:04 PM

i did it before but it didnt create a new one so had to rename the old one back. sorry i should have said. I will try again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users