Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Trojan.Dropper/SVCHost-Fake and Firefox keeps redirector


  • This topic is locked This topic is locked
39 replies to this topic

#31 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 17 August 2011 - 02:19 AM

4. What is C:\QooBox\Add-Remove Programs.txt.?

A logfile from one of the tools we used.

That was the msert(2).exe file. It didn't help, and I see no need to keep it on the computer, or for you to waste
your time trying to fix it. So, I deleted it today. I hope that was all right.

Didn't plan to fix it either.

Please post the content of C:\QooBox\Add-Remove Programs.txt

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


BC AdBot (Login to Remove)

 


#32 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 17 August 2011 - 03:31 AM

I used the following 4 tools I was asked to run in the last post: GrantPerms, VirusTotal, ComboFix, and EOS. Each one of the 4 generated a logfile/result, which I posted.
I don't know what the logfile called C:\QooBox\Add-Remove Programs.txt is, or what tool produces it. There are 5 things asked for me to list in a reply,
but only 4 tools listed. I'm sorry, but I just don't understand what I am being asked to do. :)

#33 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 17 August 2011 - 03:49 AM

That log isn't opened automatically in a notepad window it is however there.
Do this to open it in Notepad.

Goto START -> Run... and copy and paste this line in the text field


C:\QooBox\Add-Remove Programs.txt


Hit Enter-key and the Notepad window should open with the logfile. Post the content in your reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#34 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 17 August 2011 - 04:06 AM

Thanks very much!

Here it is:


Access Drivers
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Illustrator 10
Adobe Reader X (10.1.0)
Adobe Shockwave Player
Adobe SVG Viewer 3.0
Amazon MP3 Downloader 1.0.2
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Any Video Converter 3.2.3
Apple Application Support
Apple Software Update
ArcSoft PhotoStudio 5.5
Atomic Clock 4.0 for Windows 95/NT
BACS
Banctec Service Agreement
BCM V.92 56K Modem
Britannica Ready Reference
Broadcom Advanced Control Suite
CalMap Gen 7+ DEMO
Canon MP Navigator EX 1.0
Canon Utilities Solution Menu
CanoScan 8800F
CCleaner
Compton's Interactive Encyclopedia 1996
Confidence Online Portal Edition for Ameritrade
Content Transfer
Custom Info
DAO
Deal Info
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
Dell Support
DellConnect
Deutz Engine
Digital Line Detect
DigitImg
DiskeeperWorkstation
Driver Updater
Dyno2000 Version 3.10
EarthLink Common Authentication
EarthLink FastLane
EarthLink MailBox
EarthLink MDAC
EarthLink MSXML
EarthLink Setup
EarthLink Software
EarthLink Spyware Blocker
EarthLink Toolbar
EarthLink Update Manager
EarthLink Webspace
EarthLink Wireless High Speed
ESET Online Scanner v3
Facebook Plug-In
Family Origins 8.0
Free RAR Extract Frog
FreeRIP v3.2
Google Earth
Google SketchUp 8
Google Update Helper
Help and Support Customization
Hollywood FX 5.5 Additional Effects
Hollywood FX Pack 26 - Extra FX
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Driver Diagnostics
hp instant support
HP Memories Disc
HP Software Update
Image Data Converter SR
Intel® Extreme Graphics Driver
Java Auto Updater
Java™ 7
Lernout & Hauspie TruVoice for Microsoft Agent
LS_HSI
MACK MP7 Assembly Screen Saver
MAGIX Media Manager 2004 silver
MAGIX Movie Edit Pro 10
Malwarebytes' Anti-Malware version 1.51.1.1800
Matrix-ks
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Encarta 96 Encyclopedia
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser
Modem Helper
Mozilla Firefox (3.6.18)
MSSoap
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
MUSICMATCH Jukebox
NetObjects Fusion 8
nicheMandelbrot Saver 1.0
NVIDIA Drivers
NVIDIA nView Desktop Manager
overland
Paint Shop Pro 7
Photosmart 140,240,7200,7600,7700,7900 Series
Pinnacle Hollywood FX
PS7700
PSShortcutsP
PSUsage
QFolder
Quicken 2004
QuickTime
RealPlayer Basic
Redistributed Files
Return to Castle Wolfenstein
RunAlyzer
ScanSoft OmniPage SE 4
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sony USB Driver
Speccy
Studio 9
Studio 9 Content CD/DVD
SUPERAntiSpyware
TeleChart
TeleChart 2000
TeleChart 2005
TotalAccess Core Applications
TurboTax 2008
TurboTax 2008 wcaiper
TurboTax 2008 WinBizFedFormset
TurboTax 2008 WinBizProgramHelp
TurboTax 2008 WinBizReleaseEngine
TurboTax 2008 WinBizTaxSupport
TurboTax 2008 WinBizUserEducation
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Basic 2003
TurboTax Basic 2005
TurboTax Basic 2006
TurboTax Basic 2007
TurboTax Business 2008
TurboTax Deluxe 2004
Ulead Photo Explorer 8.5 SE
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Virtual Engine Calculator Advanced
WD Diagnostics
WebFldrs XP
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 11
Windows PowerShell™ 1.0
Windows XP Service Pack 3

#35 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 17 August 2011 - 04:19 AM

Almost there.

Something I should point out, regarding CCleaner,Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts here at Geekstogo, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.

Step 1.
CFSCript:


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Driver::
mrtRate

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#36 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 17 August 2011 - 05:00 AM

Here is the Log for C:\ComboFix.txt:

ComboFix 11-08-16.05 - august 08/17/2011 2:32.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.454 [GMT -7:00]
Running from: c:\documents and settings\august\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\august\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MRTRATE
-------\Service_mrtRate
.
.
((((((((((((((((((((((((( Files Created from 2011-07-17 to 2011-08-17 )))))))))))))))))))))))))))))))
.
.
2011-08-14 02:17 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-14 02:17 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-14 02:12 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-10 21:51 . 2011-08-10 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-10 21:51 . 2011-08-10 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-08 20:57 . 2011-08-08 20:57 -------- d-----w- c:\documents and settings\august\Local Settings\Application Data\Sun
2011-08-08 20:52 . 2011-08-08 20:52 -------- d-----w- c:\program files\Common Files\Java
2011-08-08 20:52 . 2011-08-08 20:51 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-07 08:59 . 2011-08-07 08:59 -------- d-----w- c:\program files\Speccy
2011-08-04 17:11 . 2011-08-04 17:11 -------- d-----w- c:\program files\ESET
2011-08-03 21:22 . 2011-08-03 21:22 -------- d-----w- c:\documents and settings\august\Application Data\Malwarebytes
2011-08-03 21:22 . 2011-08-03 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-03 21:22 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-03 21:22 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-03 21:22 . 2011-08-03 21:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-30 00:18 . 2011-07-30 00:18 -------- d-----w- c:\documents and settings\august\Application Data\ElevatedDiagnostics
2011-07-29 04:40 . 2011-07-29 04:40 -------- d-----w- c:\documents and settings\august\Local Settings\Application Data\Solid State Networks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-08 20:51 . 2010-05-02 21:39 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-03 18:42 . 2010-06-04 19:12 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-07-15 13:29 . 2010-06-04 19:12 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2010-06-04 19:12 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 21:39 . 2011-06-18 12:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 14:10 . 2010-06-04 19:12 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2010-06-04 19:13 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 18:36 . 2010-06-04 19:13 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2010-06-04 19:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 12:05 . 2010-06-04 19:14 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2010-06-04 19:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2010-06-04 19:12 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-14_06.18.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-07 22:39 . 2010-09-07 22:39 150392 c:\windows\junction.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2007-06-14 323584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-11 406016]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-20 583016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\august\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-11 110592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 02:34 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\DSLog.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\SYSTEM32\\msfeedssync.exe"=
"c:\\Program Files\\TeleChart\\TeleChart.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\AnvSoft\\Any Video Converter\\VideoConverter.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
"c:\\Program Files\\TurboTax\\Deluxe 2008\\32bit\\Turbotax.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\aswMBR.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/18/2011 5:02 PM 116608]
S2 EarthLinkMonitor;EarthLink Monitor Service;"c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe" --> c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [?]
S2 gupdate1ca09ca969da2fc;Google Update Service (gupdate1ca09ca969da2fc);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 PINNMB;MovieBox USB_B;c:\windows\SYSTEM32\DRIVERS\pinnmb.sys [11/28/2004 3:54 PM 31923]
S2 WindowsGame;Windows_Down;c:\windows\system32\Game.exe --> c:\windows\system32\Game.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys --> c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-17 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2008-07-29 04:55]
.
2011-08-17 c:\windows\Tasks\User_Feed_Synchronization-{B865B05B-D27E-44CB-BB53-551AF3161739}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.altavista.com/web/iepane?itag=ody&hl=off&fr=ieas&q={searchTerms}
uStart Page =
uInternet Settings,ProxyOverride = <local>
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: tdameritrade.com\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\august\Application Data\Mozilla\Firefox\Profiles\ojl5k5yz.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-17 02:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???`???X??? ???????`???P???? ?w? ?w)??p????????(???}????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2188)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\BCMSMMSG.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2011-08-17 02:50:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-17 09:50
ComboFix2.txt 2011-08-15 23:44
ComboFix3.txt 2011-08-14 06:23
.
Pre-Run: 16,492,544,000 bytes free
Post-Run: 16,398,512,128 bytes free
.
- - End Of File - - 747584A2CF4ECF3E76257CF41989343A

#37 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 17 August 2011 - 05:36 AM

Looks good. :thumbsup:
We're all done.

Let's clean up again


  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image


Delete GrantPerms from your desktop.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#38 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 17 August 2011 - 03:46 PM

Combofix is now uninstalled, and GrantPerms is now deleted.

Gracious, I'm so very happy that we are done and my computer is clean again! :clapping:

Thank you, heir, for all that you have done to help me. Not only have you rid my machine of its infections
and resultant problems, but you have taught me how to prevent such things from happening again. I will use
the programs you suggested earlier to make surfing safer. I will also no longer "clean" the registry.

I know I thanked you in a previous post, but I cannot stress enough how truly grateful I am for your kind and
patient help. You've been the knight in shining armor riding to the rescue of the damsel in serious distress
from a nasty malware dragon. May all good things come your way in life!

Thank you! :)

#39 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 28 August 2011 - 06:45 AM

You're most welcome.

In case you need help in the future, please revisit this site.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#40 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 28 August 2011 - 06:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users