Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple unexpected Internet Connections


  • This topic is locked This topic is locked
20 replies to this topic

#1 ptak30

ptak30

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 11 September 2011 - 11:23 AM

Hi,
My PC sits behind an ADSL router along with one other PC. I run TCPEye to monitor connections to the internet. Malwarebytes discovered some 6 Trojans and spyware recently and these were quarantined and deleted. I decided to replace Comodo with AVG, which insisted on Comodo's removal first, which I did. I noticed that the download of AVG was extremely slow and TCPEye showed hundreds of connections going all over the world being spawned from my PC- almost as if it was a server hub.
This behaviour occurs from start up even without firing up a browser.
DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Godwin at 16:29:16 on 2011-09-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1695 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\TCPEye\TCPEye.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9aa2f14f-e956-44b8-8694-a5b615cdf341} - NOW!Imaging
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Kwixum] rundll32.exe "c:\windows\tmcmtip.dll",Startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Myubetijokilomin] rundll32.exe "c:\windows\aqixayugupiditem.dll",Startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [Printing Migration] rundll32.exe c:\windows\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters
dExplorerRun: [Jetsoft] c:\documents and settings\networkservice\application data\csrss.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ga311s~1.lnk - c:\program files\netgear ga311 adapter\GA311.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
uPolicies-explorer: NoCustomizeWebView = 1 (0x1)
uPolicies-explorer: <NO NAME> = 00000000
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoCustomizeWebView = 1 (0x1)
dPolicies-explorer: <NO NAME> = 00000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198942325062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: Interfaces\{1675E020-93FB-44C0-B3DB-11791B178C73} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{583DB85D-BF2C-4B7A-9467-FD08DF893771} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6AF1DAA6-8CFE-4C0D-B2B7-0F34901D012E} : NameServer = 208.67.222.222,208.67.220.220
Handler: amisie - {183A003A-3D01-4E94-A2C5-AD0108C68370} - c:\program files\amis\IeDtbPlugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\syste
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /app:oe /caller:ie50 /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /app:oe /caller:ie50 /user /install - "c:\progra~1\outloo~1\setup50.exe" /app:oe /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
mASetup: {44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exeadvpack.dll
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /app:wab /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
mASetup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\system32\updcrl.exe -e -u c:\windows\system\verisignpub1.crl
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\godwin\application data\mozilla\firefox\profiles\1hvxpyvy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - prefs.js: network.proxy.http - 192.104.67.250
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\godwin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SSHDRV79;SSHDRV79;c:\windows\system32\drivers\SSHDRV79.sys [2009-5-18 75264]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-9-17 8440]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-8-15 11237]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [2008-1-8 70144]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp1\RpcAgentSrv.exe [2008-11-6 98488]
S3 SIWIO;SIWIO; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-12-29 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-09-11 09:48:39 0 ----a-w- c:\windows\Yhocuzaruqehisuk.bin
2011-09-11 09:48:38 -------- d-----w- c:\documents and settings\godwin\local settings\application data\{EC780376-A2B5-46F6-991F-E33571800E5A}
2011-09-11 09:43:44 -------- d-----w- c:\documents and settings\godwin\application data\Vuwesoo
2011-09-11 09:43:43 -------- d-----w- c:\documents and settings\godwin\application data\Bos
2011-09-11 09:18:05 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-09-11 09:17:49 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-09-11 07:21:12 388096 ----a-r- c:\documents and settings\godwin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-10 07:55:21 -------- d-----w- c:\program files\RADVideo
2011-09-07 14:29:22 -------- d-----w- c:\program files\Simple Spreadsheet
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-26 11:38:01 -------- d-----w- c:\documents and settings\godwin\application data\FastStone
2011-08-26 11:36:09 -------- d-----w- c:\program files\FastStone Image Viewer
2011-08-20 19:45:05 -------- d-----w- c:\documents and settings\godwin\application data\Wise Registry Cleaner
2011-08-20 19:44:42 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-08-18 19:39:35 -------- d-----w- c:\program files\Registry Patrol
2011-08-18 11:56:29 -------- d-----w- c:\program files\FoxTabVideoConverter
2011-08-18 11:32:38 -------- d-----w- c:\program files\Virtua
2011-08-17 20:45:15 -------- d-----w- c:\program files\UMPlayer
2011-08-17 20:45:15 -------- d-----w- c:\documents and settings\godwin\.umplayer
2011-08-17 18:01:00 -------- d-----w- c:\documents and settings\godwin\local settings\application data\MPlayer
.
==================== Find3M ====================
.
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-12 06:29:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2008-08-04 15:22:33 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600AAJB-00PVA0 rev.00.07H00 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8424D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8487d0]; MOV EAX, [0x8a84884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A8A1AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000063[0x8A90CF18]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A8BF940]
\Driver\atapi[0x8A83EDF0] -> IRP_MJ_CREATE -> 0x8A8424D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A84231B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:30:52.75 ===============
GMER log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-11 16:43:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD1600AAJB-00PVA0 rev.00.07H00
Running: gmer.exe; Driver: C:\DOCUME~1\Godwin\LOCALS~1\Temp\kwrdqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7814C9E]
.text C:\WINDOWS\system32\drivers\SSHDRV79.sys section is writeable [0xB22E5000, 0x2247E, 0xE8000020]
.pklstb C:\WINDOWS\system32\drivers\SSHDRV79.sys entry point in ".pklstb" section [0xB2316000]
.relo2 C:\WINDOWS\system32\drivers\SSHDRV79.sys unknown last section [0xB232B000, 0x8A, 0x42000040]
? C:\DOCUME~1\Godwin\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[700] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\System32\svchost.exe[700] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[700] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D6000C
.text C:\WINDOWS\System32\svchost.exe[700] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01A3000A
.text C:\WINDOWS\System32\svchost.exe[700] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 01A4000A
.text C:\WINDOWS\System32\svchost.exe[700] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 01A5000A
.text C:\WINDOWS\System32\svchost.exe[700] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 01A2000A
.text C:\WINDOWS\system32\SearchIndexer.exe[1480] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2008] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\Explorer.EXE[2008] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D9000A
.text C:\WINDOWS\Explorer.EXE[2008] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C

---- Devices - GMER 1.0.15 ----

Hope I've followed the instructions for a new thread corretly
Regards
Attached File  attach.txt   19.47KB   1 downloads
EDIT I forgot to say that I disabled the network connection before running dds and gmer.

Edited by ptak30, 11 September 2011 - 11:25 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:28 PM

Posted 12 September 2011 - 01:48 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ptak30

ptak30
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 12 September 2011 - 04:19 AM

Hi, thanks for the quick reply.
I didn't realize that combofix would require a network connection. In order to prevent the vast number of involuntary connections I had disabled the network connection. I tried to re-enable while the combofix message was on (via Control Panel) but without success. Combofix then proceeded to do a scan and eventually produced its report. The symptoms are still there. A little after I restore the network connection to the router svchost spawns over and over again connections to all parts of the world, US, UK, Netherlands, Russia, Ukraine, etc.
Combofix report:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"NVSvc"=c:\windows\SYSTEM32\NVSVC.EXE -runservice
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AVP"="c:\program files\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE" -r
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\sacred.exe"=
"c:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\gameserver.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Godwin\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R1 SSHDRV79;SSHDRV79;c:\windows\SYSTEM32\DRIVERS\SSHDRV79.sys [18/05/2009 14:48 75264]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 LANPkt;Realtek LANPkt Protocol;c:\windows\SYSTEM32\DRIVERS\LANPkt.sys [17/09/2003 16:57 8440]
S3 Diag69xp;Diag69xp;c:\windows\SYSTEM32\DRIVERS\diag69xp.sys [15/08/2003 03:55 11237]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\SYSTEM32\DRIVERS\G311N6.sys [08/01/2008 17:58 70144]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe [06/11/2008 18:15 98488]
S3 SIWIO;SIWIO; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [29/12/2007 13:40 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 16:17 7168 ----a-w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-1788223648-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 0.0.0.0:80
TCP: Interfaces\{6AF1DAA6-8CFE-4C0D-B2B7-0F34901D012E}: NameServer = 208.67.222.222,208.67.220.220
Handler: amisie - {183A003A-3D01-4E94-A2C5-AD0108C68370} - c:\program files\AMIS\IeDtbPlugin.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Godwin\Application Data\Mozilla\Firefox\Profiles\1hvxpyvy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - prefs.js: network.proxy.http - 192.104.67.250
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Kwixum - c:\windows\tmcmtip.dll
HKLM-Run-Myubetijokilomin - c:\windows\aqixayugupiditem.dll
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
MSConfigStartUp-Mp4 Player - c:\program files\Mp4 Player\Mp4Player.exe
HKLM_ActiveSetup-{44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exeadvpack.dll
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
AddRemove-MidiNotate - c:\program files\Notation Software
AddRemove-{108A39BF-4ED1-4293-B11A-06BD521FB8F7} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{108A3~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-12 09:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600AAJB-00PVA0 rev.00.07H00 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8E931B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(364)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
- - - - - - - > 'lsass.exe'(424)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-09-12 09:47:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-12 08:47
.
Pre-Run: 83,481,227,264 bytes free
Post-Run: 83,517,706,240 bytes free
.
- - End Of File - - B9F4B9F84B94AC90400EA0972711E87C
I would add that after combofix had finished I found a new IE icon on my desktop, which I deleted.
Oh, where is the Watch this topic button. The only one I can find is a "unwatch" button.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:28 PM

Posted 12 September 2011 - 07:42 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ptak30

ptak30
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 12 September 2011 - 12:15 PM

Hi,
thank you, thank you.thank you!
TDSkiller seems to have done the trick. Here is the log:

011/09/12 16:33:34.0015 3956 TDSS rootkit removing tool 2.5.21.0 Sep 10 2011 21:07:05
2011/09/12 16:33:34.0156 3956 ================================================================================
2011/09/12 16:33:34.0156 3956 SystemInfo:
2011/09/12 16:33:34.0156 3956
2011/09/12 16:33:34.0156 3956 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/12 16:33:34.0156 3956 Product type: Workstation
2011/09/12 16:33:34.0156 3956 ComputerName: CHELSEA
2011/09/12 16:33:34.0156 3956 UserName: Godwin
2011/09/12 16:33:34.0156 3956 Windows directory: C:\WINDOWS
2011/09/12 16:33:34.0156 3956 System windows directory: C:\WINDOWS
2011/09/12 16:33:34.0156 3956 Processor architecture: Intel x86
2011/09/12 16:33:34.0156 3956 Number of processors: 1
2011/09/12 16:33:34.0156 3956 Page size: 0x1000
2011/09/12 16:33:34.0156 3956 Boot type: Normal boot
2011/09/12 16:33:34.0156 3956 ================================================================================
2011/09/12 16:33:35.0312 3956 Initialize success
2011/09/12 16:33:38.0046 3348 ================================================================================
2011/09/12 16:33:38.0046 3348 Scan started
2011/09/12 16:33:38.0046 3348 Mode: Manual;
2011/09/12 16:33:38.0046 3348 ================================================================================
2011/09/12 16:33:39.0171 3348 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/12 16:33:39.0234 3348 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/12 16:33:39.0312 3348 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/12 16:33:39.0390 3348 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/12 16:33:39.0546 3348 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/09/12 16:33:39.0750 3348 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/09/12 16:33:39.0812 3348 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/12 16:33:39.0859 3348 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/12 16:33:39.0937 3348 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/12 16:33:40.0000 3348 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/12 16:33:40.0031 3348 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/12 16:33:40.0093 3348 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/12 16:33:40.0171 3348 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/12 16:33:40.0515 3348 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/12 16:33:40.0562 3348 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/12 16:33:40.0812 3348 Diag69xp (9afd0211790bb60ca4453e95e2fcfa34) C:\WINDOWS\system32\Drivers\Diag69xp.sys
2011/09/12 16:33:40.0859 3348 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/12 16:33:40.0937 3348 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/12 16:33:41.0015 3348 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/12 16:33:41.0062 3348 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/12 16:33:41.0109 3348 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/12 16:33:41.0187 3348 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/12 16:33:41.0265 3348 ezplay (73e701e0fa4d2fc7d22efceff276c50a) C:\WINDOWS\system32\Drivers\ezplay.sys
2011/09/12 16:33:41.0312 3348 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/12 16:33:41.0359 3348 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/12 16:33:41.0406 3348 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/12 16:33:41.0468 3348 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/12 16:33:41.0531 3348 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/12 16:33:41.0562 3348 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/12 16:33:41.0593 3348 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/12 16:33:41.0640 3348 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/12 16:33:41.0703 3348 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/12 16:33:41.0796 3348 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/12 16:33:41.0906 3348 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/12 16:33:41.0953 3348 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/12 16:33:42.0093 3348 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/12 16:33:42.0125 3348 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/12 16:33:42.0171 3348 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/12 16:33:42.0218 3348 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/12 16:33:42.0265 3348 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/12 16:33:42.0328 3348 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/12 16:33:42.0375 3348 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/12 16:33:42.0406 3348 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/12 16:33:42.0468 3348 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/12 16:33:42.0515 3348 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/12 16:33:42.0593 3348 LANPkt (8bbfbf256493035ae6105b334fce99df) C:\WINDOWS\system32\DRIVERS\LANPkt.sys
2011/09/12 16:33:42.0703 3348 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/12 16:33:42.0750 3348 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/12 16:33:42.0781 3348 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/12 16:33:42.0843 3348 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/12 16:33:42.0875 3348 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/12 16:33:43.0046 3348 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/12 16:33:43.0125 3348 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/12 16:33:43.0187 3348 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/12 16:33:43.0218 3348 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/12 16:33:43.0265 3348 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/12 16:33:43.0328 3348 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/12 16:33:43.0390 3348 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/12 16:33:43.0468 3348 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/12 16:33:43.0515 3348 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/12 16:33:43.0593 3348 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/12 16:33:43.0640 3348 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/12 16:33:43.0671 3348 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/12 16:33:43.0718 3348 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/12 16:33:43.0750 3348 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/12 16:33:43.0812 3348 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/12 16:33:43.0890 3348 NetgearGA311 (a499c838a518719b17279a52d88d8847) C:\WINDOWS\system32\DRIVERS\G311N6.sys
2011/09/12 16:33:43.0937 3348 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/12 16:33:44.0000 3348 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/12 16:33:44.0062 3348 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/12 16:33:44.0187 3348 nv (c823d5e609762c075f26f7fc56690f34) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/12 16:33:44.0359 3348 nvax (3de144bf9844a8073098f3c35bcf659a) C:\WINDOWS\system32\drivers\nvax.sys
2011/09/12 16:33:44.0390 3348 nvnforce (cac8337fb6eb6911c47e43526f6a2397) C:\WINDOWS\system32\drivers\nvapu.sys
2011/09/12 16:33:44.0484 3348 nv_agp (29291c3a7256337327051cc37e4fc09a) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2011/09/12 16:33:44.0531 3348 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/12 16:33:44.0562 3348 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/12 16:33:44.0625 3348 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/09/12 16:33:44.0656 3348 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/09/12 16:33:44.0703 3348 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/09/12 16:33:44.0734 3348 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/12 16:33:44.0765 3348 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/12 16:33:44.0812 3348 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/12 16:33:44.0843 3348 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/12 16:33:44.0906 3348 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/12 16:33:44.0953 3348 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/12 16:33:45.0015 3348 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/09/12 16:33:45.0312 3348 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/12 16:33:45.0343 3348 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/12 16:33:45.0390 3348 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/12 16:33:45.0593 3348 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/12 16:33:45.0625 3348 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/12 16:33:45.0656 3348 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/12 16:33:45.0687 3348 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/12 16:33:45.0734 3348 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/12 16:33:45.0781 3348 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/12 16:33:45.0859 3348 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/12 16:33:45.0906 3348 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/12 16:33:46.0000 3348 RTL8023 (471e91c38bd05cb024f9c02017235424) C:\WINDOWS\system32\DRIVERS\GA311ND5.SYS
2011/09/12 16:33:46.0046 3348 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/09/12 16:33:46.0156 3348 SANDRA (1644ad672da94378b5564fbac4c7ce28) C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP1\WNt500x86\Sandra.sys
2011/09/12 16:33:46.0234 3348 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/12 16:33:46.0296 3348 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/12 16:33:46.0328 3348 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/12 16:33:46.0406 3348 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/12 16:33:46.0578 3348 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/12 16:33:46.0609 3348 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/12 16:33:46.0671 3348 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/12 16:33:46.0734 3348 SSHDRV79 (b4710b65d78849dd7743b8998162c2fc) C:\WINDOWS\system32\drivers\SSHDRV79.sys
2011/09/12 16:33:46.0796 3348 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/12 16:33:46.0828 3348 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/12 16:33:47.0000 3348 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/12 16:33:47.0062 3348 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys
2011/09/12 16:33:47.0125 3348 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/12 16:33:47.0187 3348 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/12 16:33:47.0218 3348 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/12 16:33:47.0296 3348 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/12 16:33:47.0390 3348 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/12 16:33:47.0515 3348 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/12 16:33:47.0578 3348 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/12 16:33:47.0625 3348 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/12 16:33:47.0671 3348 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/09/12 16:33:47.0734 3348 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/12 16:33:47.0765 3348 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/12 16:33:47.0828 3348 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/12 16:33:47.0875 3348 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/12 16:33:47.0968 3348 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/12 16:33:48.0031 3348 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/12 16:33:48.0078 3348 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/09/12 16:33:48.0156 3348 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/12 16:33:48.0281 3348 WINIO (7e5a7cf19504af7ddaf4fa36261940d1) C:\Program Files\Project1\winio.sys
2011/09/12 16:33:48.0437 3348 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/12 16:33:48.0484 3348 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/12 16:33:48.0562 3348 MBR (0x1B8) (e3cabc1bd79a4b89e16026c7c2e46c9e) \Device\Harddisk0\DR0
2011/09/12 16:33:48.0562 3348 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/09/12 16:33:48.0578 3348 Boot (0x1200) (ff52a03c47c6a051848b7d69702f0e51) \Device\Harddisk0\DR0\Partition0
2011/09/12 16:33:48.0593 3348 ================================================================================
2011/09/12 16:33:48.0593 3348 Scan finished
2011/09/12 16:33:48.0593 3348 ================================================================================
2011/09/12 16:33:48.0609 3020 Detected object count: 1
2011/09/12 16:33:48.0609 3020 Actual detected object count: 1
2011/09/12 16:34:02.0765 3020 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/09/12 16:34:02.0765 3020 \Device\Harddisk0\DR0 - ok
2011/09/12 16:34:02.0765 3020 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/12 16:34:06.0406 2784 Deinitialize success

I've downloaded Kaspersky 2012 to replace the Comodo that I'd previously removed.
Once again my thanks for all your help.
Regards

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:28 PM

Posted 12 September 2011 - 12:51 PM

Hello


we are not done yet. - I want you to rerun combofix for me now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ptak30

ptak30
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 12 September 2011 - 03:09 PM

Hi,
Ran combofix as asked
Log file:
ComboFix 11-09-12.02 - Godwin 12/09/2011 20:55:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1588 [GMT 1:00]
Running from: c:\documents and settings\Godwin\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Godwin\Local Settings\Application Data\{EC780376-A2B5-46F6-991F-E33571800E5A}
c:\documents and settings\Godwin\Local Settings\Application Data\{EC780376-A2B5-46F6-991F-E33571800E5A}\chrome.manifest
c:\documents and settings\Godwin\Local Settings\Application Data\{EC780376-A2B5-46F6-991F-E33571800E5A}\chrome\content\_cfg.js
c:\documents and settings\Godwin\Local Settings\Application Data\{EC780376-A2B5-46F6-991F-E33571800E5A}\chrome\content\overlay.xul
c:\documents and settings\Godwin\Local Settings\Application Data\{EC780376-A2B5-46F6-991F-E33571800E5A}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-08-12 to 2011-09-12 )))))))))))))))))))))))))))))))
.
.
2011-09-12 16:58 . 2011-09-12 17:20 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2011-09-12 16:58 . 2011-09-12 17:20 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2011-09-12 16:57 . 2011-09-12 16:58 -------- d-----w- c:\windows\LastGood
2011-09-11 09:48 . 2011-09-12 07:19 0 ----a-w- c:\windows\Yhocuzaruqehisuk.bin
2011-09-11 09:43 . 2011-09-11 09:46 -------- d-----w- c:\documents and settings\Godwin\Application Data\Vuwesoo
2011-09-11 09:43 . 2011-09-11 11:16 -------- d-----w- c:\documents and settings\Godwin\Application Data\Bos
2011-09-11 09:18 . 2011-09-11 09:18 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-11 09:17 . 2011-09-11 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-11 07:21 . 2011-09-11 07:21 388096 ----a-r- c:\documents and settings\Godwin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-10 07:55 . 2011-09-10 07:55 -------- d-----w- c:\program files\RADVideo
2011-09-07 14:29 . 2011-09-07 14:34 -------- d-----w- c:\program files\Simple Spreadsheet
2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-26 11:38 . 2011-08-26 11:38 -------- d-----w- c:\documents and settings\Godwin\Application Data\FastStone
2011-08-26 11:36 . 2011-08-26 11:36 -------- d-----w- c:\program files\FastStone Image Viewer
2011-08-20 19:45 . 2011-08-20 19:48 -------- d-----w- c:\documents and settings\Godwin\Application Data\Wise Registry Cleaner
2011-08-20 19:44 . 2011-09-06 13:34 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-08-18 19:39 . 2011-08-18 19:40 -------- d-----w- c:\program files\Registry Patrol
2011-08-18 11:56 . 2011-08-18 11:56 -------- d-----w- c:\program files\FoxTabVideoConverter
2011-08-18 11:32 . 2011-08-18 11:32 -------- d-----w- c:\program files\Virtua
2011-08-17 20:58 . 2011-08-17 20:58 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-08-17 20:45 . 2011-08-17 20:45 -------- d-----w- c:\program files\UMPlayer
2011-08-17 20:45 . 2011-08-17 20:45 -------- d-----w- c:\documents and settings\Godwin\.umplayer
2011-08-17 18:01 . 2011-08-17 18:01 -------- d-----w- c:\documents and settings\Godwin\Local Settings\Application Data\MPlayer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2007-12-29 12:38 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-12 06:29 . 2011-06-12 07:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2008-09-04 07:01 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-09-04 07:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-09-04 07:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2007-12-29 12:40 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2007-12-29 12:39 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2007-12-29 12:39 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2007-12-29 12:38 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2007-12-29 12:40 293376 ----a-w- c:\windows\system32\winsrv.dll
2008-08-04 15:22 . 2008-08-04 15:21 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-12-10 17:40 . 2007-12-10 17:40 6275816 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2011-09-07 08:59 . 2011-03-23 17:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2011-01-21 14:44 8462336 ----a-w- c:\windows\SYSTEM32\shell32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-27 202256]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-24 202296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-3-4 114688]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCustomizeWebView"= 1 (0x1)
"<NO NAME>"= 00000000
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoCustomizeWebView"= 1 (0x1)
"<NO NAME>"= 00000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-09-24 07:59 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 04:42 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"Jet Detection"=c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"HPDJ Taskbar Utility"=c:\windows\SYSTEM32\hpztsb04.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\nvcpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\SYSTEM32\NVMCTRAY.DLL,NvTaskbarInit
"ICSDCLT"=c:\windows\SYSTEM32\RUNDLL32.EXE c:\windows\SYSTEM32\ICSDCLT.DLL,ICSClient
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CreateCD50"=c:\progra~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
"SoundMan"=SOUNDMAN.EXE
"LexStart"=lexstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"NVSvc"=c:\windows\SYSTEM32\NVSVC.EXE -runservice
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AVP"="c:\program files\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE" -r
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\sacred.exe"=
"c:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\gameserver.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Documents and Settings\\Godwin\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R1 kl2;kl2;c:\windows\SYSTEM32\DRIVERS\kl2.sys [04/03/2011 13:23 11352]
R1 SSHDRV79;SSHDRV79;c:\windows\SYSTEM32\DRIVERS\SSHDRV79.sys [18/05/2009 14:48 75264]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\SYSTEM32\DRIVERS\LANPkt.sys [17/09/2003 16:57 8440]
R3 Diag69xp;Diag69xp;c:\windows\SYSTEM32\DRIVERS\diag69xp.sys [15/08/2003 03:55 11237]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [10/03/2011 18:34 34608]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\SYSTEM32\DRIVERS\klmouflt.sys [02/11/2009 20:27 19472]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\SYSTEM32\DRIVERS\G311N6.sys [08/01/2008 17:58 70144]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe [06/11/2008 18:15 98488]
S3 SIWIO;SIWIO; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [29/12/2007 13:40 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVP
*NewlyCreated* - KL1
*NewlyCreated* - KL2
*NewlyCreated* - KLIF
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 16:17 7168 ----a-w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-1788223648-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 0.0.0.0:80
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6AF1DAA6-8CFE-4C0D-B2B7-0F34901D012E}: NameServer = 208.67.222.222,208.67.220.220
Handler: amisie - {183A003A-3D01-4E94-A2C5-AD0108C68370} - c:\program files\AMIS\IeDtbPlugin.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Godwin\Application Data\Mozilla\Firefox\Profiles\1hvxpyvy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - prefs.js: network.proxy.http - 192.104.67.250
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-12 21:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(428)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
Completion time: 2011-09-12 21:02:52
ComboFix-quarantined-files.txt 2011-09-12 20:02
ComboFix2.txt 2011-09-12 08:47
.
Pre-Run: 82,601,914,368 bytes free
Post-Run: 82,788,724,736 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 23F959770996919947816590AC3DBD6D
Regards

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:28 PM

Posted 12 September 2011 - 05:19 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\Yhocuzaruqehisuk.bin

Folder::
c:\documents and settings\Godwin\Application Data\Vuwesoo
c:\documents and settings\Godwin\Application Data\Bos

Firefox::
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ptak30

ptak30
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 13 September 2011 - 03:01 AM

Hi,
The first time I ran the text in combofix, it (the PC) froze and combofix didn't get to its blue screen. I couldn't reboot the PC using Windows and had to use a mechanical reboot. Since then all restarts have brought up the recovery console - how do I get rid of it?
The second time I ran the script in combofix it went through OK. I think it may have been because I disabled Kaspersky before I started combofix. The previous time combofix asked me to disable it - which I did.
I have a supplementary question. When I first started this quest I had to use the 2nd PC on my home network (there are only 2) to access this forum and do the downloads. Using the shared folder I was able to transfer the software to the infected PC to run the fixes and then transfer the logs back to access the forum again. Each time I only opened the network momentarily on the infected PC and disabled its network connection after acquisition. Should I run dds etc on the 2nd PC?
Here is the latest combofix log
ComboFix 11-09-12.05 - Godwin 13/09/2011 8:23.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1683 [GMT 1:00]
Running from: c:\documents and settings\Godwin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Godwin\Desktop\CFscript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\windows\Yhocuzaruqehisuk.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Godwin\Application Data\Bos
c:\documents and settings\Godwin\Application Data\Vuwesoo
c:\windows\Yhocuzaruqehisuk.bin
.
.
((((((((((((((((((((((((( Files Created from 2011-08-13 to 2011-09-13 )))))))))))))))))))))))))))))))
.
.
2011-09-12 16:58 . 2011-09-12 17:20 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2011-09-12 16:58 . 2011-09-12 17:20 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2011-09-11 09:18 . 2011-09-11 09:18 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-11 09:17 . 2011-09-11 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-11 07:21 . 2011-09-11 07:21 388096 ----a-r- c:\documents and settings\Godwin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-10 07:55 . 2011-09-10 07:55 -------- d-----w- c:\program files\RADVideo
2011-09-07 14:29 . 2011-09-07 14:34 -------- d-----w- c:\program files\Simple Spreadsheet
2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-26 11:38 . 2011-08-26 11:38 -------- d-----w- c:\documents and settings\Godwin\Application Data\FastStone
2011-08-26 11:36 . 2011-08-26 11:36 -------- d-----w- c:\program files\FastStone Image Viewer
2011-08-20 19:45 . 2011-08-20 19:48 -------- d-----w- c:\documents and settings\Godwin\Application Data\Wise Registry Cleaner
2011-08-20 19:44 . 2011-09-06 13:34 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-08-18 19:39 . 2011-08-18 19:40 -------- d-----w- c:\program files\Registry Patrol
2011-08-18 11:56 . 2011-08-18 11:56 -------- d-----w- c:\program files\FoxTabVideoConverter
2011-08-18 11:32 . 2011-08-18 11:32 -------- d-----w- c:\program files\Virtua
2011-08-17 20:58 . 2011-08-17 20:58 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-08-17 20:45 . 2011-08-17 20:45 -------- d-----w- c:\program files\UMPlayer
2011-08-17 20:45 . 2011-08-17 20:45 -------- d-----w- c:\documents and settings\Godwin\.umplayer
2011-08-17 18:01 . 2011-08-17 18:01 -------- d-----w- c:\documents and settings\Godwin\Local Settings\Application Data\MPlayer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2007-12-29 12:38 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-12 06:29 . 2011-06-12 07:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2008-09-04 07:01 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-09-04 07:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-09-04 07:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2007-12-29 12:40 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2007-12-29 12:39 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2007-12-29 12:39 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2007-12-29 12:38 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2007-12-29 12:40 293376 ----a-w- c:\windows\system32\winsrv.dll
2008-08-04 15:22 . 2008-08-04 15:21 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-12-10 17:40 . 2007-12-10 17:40 6275816 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2011-09-07 08:59 . 2011-03-23 17:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2011-01-21 14:44 8462336 ----a-w- c:\windows\SYSTEM32\shell32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-27 202256]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-24 202296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-3-4 114688]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCustomizeWebView"= 1 (0x1)
"<NO NAME>"= 00000000
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoCustomizeWebView"= 1 (0x1)
"<NO NAME>"= 00000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-09-24 07:59 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 04:42 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"Jet Detection"=c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"HPDJ Taskbar Utility"=c:\windows\SYSTEM32\hpztsb04.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\nvcpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\SYSTEM32\NVMCTRAY.DLL,NvTaskbarInit
"ICSDCLT"=c:\windows\SYSTEM32\RUNDLL32.EXE c:\windows\SYSTEM32\ICSDCLT.DLL,ICSClient
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CreateCD50"=c:\progra~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
"SoundMan"=SOUNDMAN.EXE
"LexStart"=lexstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"NVSvc"=c:\windows\SYSTEM32\NVSVC.EXE -runservice
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AVP"="c:\program files\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE" -r
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\sacred.exe"=
"c:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\gameserver.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Documents and Settings\\Godwin\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R1 kl2;kl2;c:\windows\SYSTEM32\DRIVERS\kl2.sys [04/03/2011 13:23 11352]
R1 SSHDRV79;SSHDRV79;c:\windows\SYSTEM32\DRIVERS\SSHDRV79.sys [18/05/2009 14:48 75264]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\SYSTEM32\DRIVERS\LANPkt.sys [17/09/2003 16:57 8440]
R3 Diag69xp;Diag69xp;c:\windows\SYSTEM32\DRIVERS\diag69xp.sys [15/08/2003 03:55 11237]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [10/03/2011 18:34 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\SYSTEM32\DRIVERS\klmouflt.sys [02/11/2009 20:27 19472]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\SYSTEM32\DRIVERS\G311N6.sys [08/01/2008 17:58 70144]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe [06/11/2008 18:15 98488]
S3 SIWIO;SIWIO; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [29/12/2007 13:40 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 04:42 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 16:17 7168 ----a-w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-1788223648-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 0.0.0.0:80
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6AF1DAA6-8CFE-4C0D-B2B7-0F34901D012E}: NameServer = 208.67.222.222,208.67.220.220
Handler: amisie - {183A003A-3D01-4E94-A2C5-AD0108C68370} - c:\program files\AMIS\IeDtbPlugin.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Godwin\Application Data\Mozilla\Firefox\Profiles\1hvxpyvy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://search.hotspotshield.com/g/?c=h
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - prefs.js: network.proxy.http - 192.104.67.250
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-13 08:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
Completion time: 2011-09-13 08:33:22
ComboFix-quarantined-files.txt 2011-09-13 07:33
ComboFix2.txt 2011-09-12 20:02
ComboFix3.txt 2011-09-12 08:47
.
Pre-Run: 82,732,089,344 bytes free
Post-Run: 82,745,602,048 bytes free
.
- - End Of File - - E59D0C8B48DAB80E05BE53BD969FD9C6

Regards

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:28 PM

Posted 13 September 2011 - 09:52 AM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.5

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ptak30

ptak30
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 13 September 2011 - 10:40 AM

Hi,
I'm having a problem with Java. It said it had updated but clicking on the icon in Control Panel to clear the cache did nothing. I thought I would remove Java completely and reinstall from the net. However it won't uninstall - keeps coming back with Internal Error 2753 regutils.dll.
What do I do next, please?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:28 PM

Posted 13 September 2011 - 10:47 AM

Hello

run this first

:Run JavaRa

  • Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 ptak30

ptak30
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 13 September 2011 - 12:10 PM

Hi,
JavaRA threw a error message the first time but went through OK the 2nd time. I installed the latest version and this time clicking on the icon in Control Panel worked as per your instructions. For some reason my copy of MBAM had vanished so I downloaded and installed it again.
Log from MBAM:

Objects scanned: 173553
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:33:31, on 13/09/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198942325062
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AF1DAA6-8CFE-4C0D-B2B7-0F34901D012E}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: amisie - {183A003A-3D01-4E94-A2C5-AD0108C68370} - C:\Program Files\AMIS\IeDtbPlugin.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6773 bytes

This computer seems to have stopped making all the connections it was making. Now Kaspersky seems to be running a small botnet. I have noticed that I no longer have the same search facility over my C: drive that I used to have with the little dog. All I get when I right click on the C:drive and choose search is the ability to search the desktop or the web (and no little dog). The 2nd PC seems to be OK.
Regards

Edited by ptak30, 13 September 2011 - 12:11 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:28 PM

Posted 13 September 2011 - 12:35 PM

Greetings

have noticed that I no longer have the same search facility over my C: drive that I used to have with the little dog. All I get when I right click on the C:drive and choose search is the ability to search the desktop or the web (and no little dog)

look at the bottom left should be something like - click to use search companion



These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
      O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 ptak30

ptak30
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 13 September 2011 - 03:40 PM

Hi,
I can't see how to paste the ESET clipboard stuff here. There seems to be no copy feature in the clipboard viewer.
Here is the Eset log file which looks essentially the same as the Clipboard stuff.
Eset.txt

C:\downloads\registrybooster.exe a variant of Win32/RegistryBooster application
C:\downloads\VideoConverterSetup.exe a variant of Win32/InstallCore.C application
C:\Music\SDFix.exe Win32/PrcView application
C:\Program Files\FoxTabVideoConverter\VideoConverter.exe a variant of Win32/InstallCore.A application
C:\Program Files\FoxTabVideoConverter\Uninstall\Uninstall.exe a variant of Win32/InstallCore.C application
C:\Qoobox\Quarantine\C\WINDOWS\tmcmtip.dll.vir a variant of Win32/Kryptik.SQO trojan
C:\sdfix\SDFix\apps\Process.exe Win32/PrcView application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP242\A0020903.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP242\A0020926.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP242\A0020927.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP242\A0020928.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP242\A0020929.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP243\A0020958.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP243\A0020959.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP274\A0025045.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP274\A0025049.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP274\A0025050.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP274\A0025051.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP274\A0025052.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP274\A0025053.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP274\A0025054.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP296\A0027506.exe a variant of Win32/InstallCore.C application
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP323\A0034930.data multiple threats
C:\System Volume Information\_restore{7B34E375-7910-4362-BD3A-5A1D8407CBFC}\RP323\A0038303.dll a variant of Win32/Kryptik.SQO trojan
The Windows Recovery Console still comes up on booting with a x secs countdown.
With regard to the search facility - there is no dog. The scroll bar on the left hand pane is truncated to three buttons. The top one with an up arrow and the bottom one with a down arrow. The central button seems only to be there to separate the other 2 buttons and does nothing. The top button scrolls through the options which come up a line at a time and disappear as if the pane consists of just one line, more or less where that central button is located.
Oh, can I paste the Eset clipboard file in here as a jpg file?
Regards

Edited by ptak30, 13 September 2011 - 04:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users