Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Protected Infection can't be removed so far


  • This topic is locked This topic is locked
55 replies to this topic

#1 ropingangel

ropingangel

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 23 September 2011 - 04:28 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic419538.html ~ OB

About 5 days ago I came down with a virus not sure what it is it seems to be very hidden and protected. I have been working with another staff member and we have tried a lot of stuff! right now I can only navigate in SAFE MODE. I can not access the internet without SAFE MODE. I have created DDS logs attached!

Attached File  dds.zip   5.84KB   1 downloads
Attached File  attach.zip   6.9KB   1 downloads

Edited by Orange Blossom, 23 September 2011 - 05:39 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:43 PM

Posted 23 September 2011 - 08:11 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 ropingangel

ropingangel
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 24 September 2011 - 01:11 AM

Hello, I have question, I could not get to my computer until now....I can not access the internet using windows in normal mode, so I have been in safe mode, now I can not access the internet in safe mode, this virus seems to get worse as time goes on? Is this possible? How do I navigate now to use your instructions? I am at a loss?? When I access internet Explorer from Safe Mode with Networking I get a Connection Error? I was able to do it hours ago? Just as I could do navigate from normal mode for several days, until it got worse! Any suggestions? I am on another computer right now.

Edited by ropingangel, 24 September 2011 - 01:12 AM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:43 PM

Posted 24 September 2011 - 06:42 AM

Download the program to a USB stick and transfer it over - rename it to svchost.exe before saving it to the USB > copy the program directly to the c:\drive of the infected computer and run it.


run this program on the USB stick first to protect it:


Download Flash_Disinfector.exe from HERE and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 ropingangel

ropingangel
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 24 September 2011 - 08:05 AM

Okay.....here is the deal....lol...my only other computer is infected too with a trojan BHO that malwarebytes can not remove, the last bleepingcomputer staff member was going to fix it after we got this done! I can't use this computer other for than communicating! I will go to town buy a flash drive and find a clean computer to use! lol....be back soon! Thanks!

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:43 PM

Posted 24 September 2011 - 08:42 AM

:thumbup2:

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 ropingangel

ropingangel
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 24 September 2011 - 11:41 PM

Oh boy this has been a challenge...As John Wayne said...Life is hard, its harder if your stupid! lol...Anyway, I am now finally running combofix on my infected computer, it has stopped and is asking to download the microsoft recovery console and says either click yes or no and If yes it must have an active internet connection? What do I do?
Well..something happened....the keyboard must have been touched because now I have an Error saying it appears I am not connected to the internet and to kindly connect before clicking OK.....so what do I do now...lol!

Edited by ropingangel, 24 September 2011 - 11:54 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:43 PM

Posted 25 September 2011 - 08:00 AM

just continue on, we'll install the recovery console afterwards

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 ropingangel

ropingangel
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 25 September 2011 - 10:28 AM

Combofix said that I have a rootkit zeroaccess infection it said much more but the pop up disappeared before I could read it. It said I must let combofix reboot and not to touch it, so I haven't. It has been stuck, (I think) for about 10 minutes now. Is this correct? It is stuck with my wallpaper showing and nothing else. Do I leave it?

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:43 PM

Posted 25 September 2011 - 11:09 AM

leave it for at least half an hour

if there is no activity at all, then open task manager (Ctrl + Alt + Del) > look for processes such as sed.exe, pev.exe and ex3.exe and end process

then re-run combofix and post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 ropingangel

ropingangel
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 25 September 2011 - 11:55 AM

I finally got movement it went to the blue windows screen, preparing to standby. Not sure why? Anyway....it has been stuck there for over 30 minutes and when I push Crtl Alt Del there is no response (the task manager does not pop up) Should I turn the computer off?

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:43 PM

Posted 25 September 2011 - 11:57 AM

no,

leave it be,

don't click on anything

give it half an hour

if nothing in half an hour, then re-start

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 ropingangel

ropingangel
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 25 September 2011 - 01:17 PM

Okay...after I had to manually shut the computer off when I rebooted it, combofix went right back to scanning and everything went correctly! I know have a log, question is how do I get it to you? lol... Do I try to get on the internet from the infected computer?

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:43 PM

Posted 25 September 2011 - 04:47 PM

Yes see if you can connect now, if not, save the log to a USB and then upload it from another computer

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 ropingangel

ropingangel
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 25 September 2011 - 06:18 PM

ComboFix 11-09-24.04 - HP_Administrator 09/25/2011 12:42:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1256 [GMT -5:00]
Running from: J:\svchost.exe.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\DiscStreamHub.exe.fddeaf63.ini.inuse
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\DiscUpdMgr.exe.f0c5ac89.ini.inuse
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\HPBWSetup.exe.d9e58072.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\IEActivex.exe.cccdbce.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\Install.exe.446b110b.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.c95982a.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\PostInstallExecuter.exe.2c6c3c60.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\regasm.exe.11f1da13.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\RegisterMCEApp.exe.19d07aaf.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SetupMCL.exe.cacc9309.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL5A.tmp.74868955.ini
c:\documents and settings\Administrator\My Documents\aswMBR.exe
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\9238.173
c:\documents and settings\HP_Administrator\gmwfpkfbhq.tmp
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\DiscStreamHub.exe.fddeaf63.ini.inuse
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\DiscUpdMgr.exe.f0c5ac89.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\eBayAccountingAssistant.exe.e43f0590.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\ehExtHost.exe.fa7bea74.ini.inuse
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\ehshell.exe.a87fcbb.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\HPBWSetup.exe.d9e58072.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\HPZISMGR.EXE.2fd8c98f.ini.inuse
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\IEActivex.exe.cccdbce.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\Install.exe.446b110b.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\Install.exe.eb8320c1.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.c95982a.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\myFTP.exe.c6bc28d9.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\PostInstallExecuter.exe.2c6c3c60.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\regasm.exe.11f1da13.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\RegisterMCEApp.exe.19d07aaf.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\setupmcl.exe.44fca8e1.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\SetupMCL.exe.cacc9309.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\SL5A.tmp.74868955.ini
c:\documents and settings\HP_Administrator\WINDOWS
C:\Microsoft
c:\windows\$NtUninstallKB3255$
c:\windows\$NtUninstallKB3255$\3779771179
c:\windows\$NtUninstallKB3255$\485945278\@
c:\windows\$NtUninstallKB3255$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB3255$\485945278\cfg.ini
c:\windows\$NtUninstallKB3255$\485945278\Desktop.ini
c:\windows\$NtUninstallKB3255$\485945278\keywords
c:\windows\$NtUninstallKB3255$\485945278\kwrd.dll
c:\windows\$NtUninstallKB3255$\485945278\L\aqaeidou
c:\windows\$NtUninstallKB3255$\485945278\U\00000001.@
c:\windows\$NtUninstallKB3255$\485945278\U\00000002.@
c:\windows\$NtUninstallKB3255$\485945278\U\80000000.@
c:\windows\$NtUninstallKB3255$\485945278\U\80000032.@
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\d3d9caps.dat
c:\windows\UA000106.DLL
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1cf6efbe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-25 15:12 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-25 15:12 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-09-23 21:19 . 2011-09-23 21:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2011-09-23 19:30 . 2011-09-23 19:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Safe mirror
2011-09-23 19:29 . 2011-09-23 19:30 -------- d-----w- c:\program files\Cobian Backup 10
2011-09-23 18:48 . 2011-09-23 19:12 89088 ----a-w- C:\mbr.exe
2011-09-23 18:22 . 2011-09-23 18:22 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-21 16:58 . 2011-09-21 16:58 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\QuickScan
2011-09-20 05:43 . 2011-09-20 05:43 -------- d-----w- c:\program files\ESET
2011-09-17 07:14 . 2011-08-12 02:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{59B3E1D1-F2BE-47D1-B161-AEC30AF1A36D}\mpengine.dll
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-29 14:30 . 2011-08-29 14:30 -------- d-----w- c:\program files\Tweet Adder 3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-21 14:00 . 2011-07-31 08:00 7269712 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-09-09 09:12 . 2004-08-09 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 22:00 . 2010-07-28 02:01 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-12 02:44 . 2010-10-29 14:27 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-15 13:29 . 2004-08-09 21:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-09 21:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2011-09-09 05:13 . 2011-05-13 02:42 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-19 274608]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2010-10-17 1259008]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-24 333088]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-19 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-19 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 21:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-15 22:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 23:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 02:23 663552 ----a-w- c:\windows\CREATOR\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-10 12:02 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Movie Maker\\moviemk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1032:TCP"= 1032:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/9/2004 4:00 PM 14336]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [9/23/2011 2:30 PM 67584]
R2 MSSQL$SMR;SQL Server (SMR);c:\program files\Microsoft SQL Server\MSSQL10.SMR\MSSQL\Binn\sqlservr.exe [3/30/2009 3:25 AM 43010392]
S0 cxobkskh;cxobkskh;c:\windows\system32\drivers\urpu.sys --> c:\windows\system32\drivers\urpu.sys [?]
S1 MpKsl12e536aa;MpKsl12e536aa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35756F9A-E4A3-4AE3-86B8-DF2B5C132990}\MpKsl12e536aa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35756F9A-E4A3-4AE3-86B8-DF2B5C132990}\MpKsl12e536aa.sys [?]
S1 MpKsl20416663;MpKsl20416663;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B7D9C094-3BB7-454F-97BB-63BCFF39F8B6}\MpKsl20416663.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B7D9C094-3BB7-454F-97BB-63BCFF39F8B6}\MpKsl20416663.sys [?]
S1 MpKsl37f63716;MpKsl37f63716;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E38C58AA-7935-4365-82EA-5848EF870A7A}\MpKsl37f63716.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E38C58AA-7935-4365-82EA-5848EF870A7A}\MpKsl37f63716.sys [?]
S1 MpKsl3a40826c;MpKsl3a40826c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2866CF8B-47A8-4A9C-A009-860767B5A657}\MpKsl3a40826c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2866CF8B-47A8-4A9C-A009-860767B5A657}\MpKsl3a40826c.sys [?]
S1 MpKsl50a915a7;MpKsl50a915a7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E492F2-D914-40E9-BF2E-E1142D567801}\MpKsl50a915a7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E492F2-D914-40E9-BF2E-E1142D567801}\MpKsl50a915a7.sys [?]
S1 MpKsl5e83b61f;MpKsl5e83b61f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE31433E-4E96-481A-938E-9370CC091B25}\MpKsl5e83b61f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE31433E-4E96-481A-938E-9370CC091B25}\MpKsl5e83b61f.sys [?]
S1 MpKsl72279d97;MpKsl72279d97;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E38C58AA-7935-4365-82EA-5848EF870A7A}\MpKsl72279d97.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E38C58AA-7935-4365-82EA-5848EF870A7A}\MpKsl72279d97.sys [?]
S1 MpKsla7294e9e;MpKsla7294e9e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C069EF0C-272E-461D-BE68-A58034B949EA}\MpKsla7294e9e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C069EF0C-272E-461D-BE68-A58034B949EA}\MpKsla7294e9e.sys [?]
S1 MpKslc99e82b2;MpKslc99e82b2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5F4DA34C-97FB-4636-B9E7-180384A1329C}\MpKslc99e82b2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5F4DA34C-97FB-4636-B9E7-180384A1329C}\MpKslc99e82b2.sys [?]
S1 MpKslcf61b0bf;MpKslcf61b0bf;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B3EB2B88-25D3-4199-9E37-529DABD0BBB3}\MpKslcf61b0bf.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B3EB2B88-25D3-4199-9E37-529DABD0BBB3}\MpKslcf61b0bf.sys [?]
S1 MpKslda9f9c5a;MpKslda9f9c5a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00D9C890-40D6-4049-B90F-84320381AEBC}\MpKslda9f9c5a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00D9C890-40D6-4049-B90F-84320381AEBC}\MpKslda9f9c5a.sys [?]
S1 MpKsle29d1e69;MpKsle29d1e69;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{01343C37-7D87-492F-96D3-EA00BE281B94}\MpKsle29d1e69.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{01343C37-7D87-492F-96D3-EA00BE281B94}\MpKsle29d1e69.sys [?]
S1 MpKslf3a7cd59;MpKslf3a7cd59;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35756F9A-E4A3-4AE3-86B8-DF2B5C132990}\MpKslf3a7cd59.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35756F9A-E4A3-4AE3-86B8-DF2B5C132990}\MpKslf3a7cd59.sys [?]
S1 MpKslfb3bfef6;MpKslfb3bfef6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B7D9C094-3BB7-454F-97BB-63BCFF39F8B6}\MpKslfb3bfef6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B7D9C094-3BB7-454F-97BB-63BCFF39F8B6}\MpKslfb3bfef6.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/18/2010 10:23 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/18/2010 10:23 PM 135664]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3/31/2009 3:44 AM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SMR;SQL Server Agent (SMR);c:\program files\Microsoft SQL Server\MSSQL10.SMR\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-23 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2011-09-23 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2011-09-23 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2011-09-22 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 03:23]
.
2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 03:23]
.
2011-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2945458557-3462678705-1898384245-1007Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 02:53]
.
2011-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2945458557-3462678705-1898384245-1007UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 02:53]
.
2011-08-29 c:\windows\Tasks\hpwebreg_CN15S2N0GH05D2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\hpwebreg.exe [2010-11-17 02:16]
.
2011-09-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-09-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2945458557-3462678705-1898384245-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:33]
.
2011-09-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2945458557-3462678705-1898384245-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:33]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ngwzytgy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Seek
FF - prefs.js: browser.startup.homepage - hxxp://www.speedwilliamsteamroping.com/
FF - prefs.js: keyword.URL - hxxp://seek.mk/search?Ref=10s=1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53414
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true);user_pref(browser.search.defaultenginename, Seek
FF - user.js: browser.search.selectedEngine - Seek
FF - user.js: keyword.URL - hxxp://seek.mk/search?Ref=10s=1&q=
FF - user.js: general.useragent.extra.brc - BRI/1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Ovaluqahiv - c:\windows\Prondert.dll
MSConfigStartUp-Corel Photo Downloader - c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - c:\program files\SUPERAntiSpyware\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-25 13:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1092)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\FileZilla Server\FileZilla Server.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Smith Micro\StuffIt 2010\ArcNameService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2011-09-25 13:04:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-25 18:04
.
Pre-Run: 200,573,423,616 bytes free
Post-Run: 202,085,085,184 bytes free
.
- - End Of File - - 7D9F8581241B149F24683704E820F8CD

I was able to connect to the internet from the infected computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users