Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Agent.6.ag in smb.sys


  • This topic is locked This topic is locked
10 replies to this topic

#1 jkotila

jkotila

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 October 2011 - 09:00 AM

Had problems over the past couple of days.

I have run AVG 9.0 (paid) scan of PC and it has found Trojan Horse Agent.6.ag. AVG cannot remove, malwarebytes cannot remove.


Please help.

DDS.txt below, attachment enclosed.

Internet Explorer: 9.0.8112.16421
Run by jeff at 8:41:11 on 2011-10-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.874 [GMT -5:00]
.
AV: AVG Anti-Virus *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\program files\hp\smart web printing\hpswp_framework.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [avg_spchecker] "c:\program files\avg\avg9\notification\SPChecker1.exe" /start
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgAwAEsAVABFAC0ASAA5AFcATQAwAC0ARQBXADAAVgBBAC0AVQBUADIAQwBIAC0ARgBVAEsAUwA3AA"&"inst=NwA2AC0AOAA3ADAANQAxADMAMQAwADAALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAE4AMQBEACsAMQAtAFAATAArADkALQBDAEkAQQA5ADAAKwAyAC0ARABEAFQAKwAzADUANQAyADUALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAA"&"prod=92"&"ver=9.0.902
StartupFolder: c:\users\jeff~1.kot\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: industrialautomationllc.com\mail
Trusted Zone: intuit.com\ttlc
DPF: {22CF0C35-80CE-11D3-9354-00105AA793BF} - hxxp://www.immdesign.com/webview/IPAWebView.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
TCP: Interfaces\{9F7471A7-39AD-4CEB-9F67-0D2B2B23F95F} : DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2011-10-1 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-10-1 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-10-1 29712]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-10-1 243152]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-10-1 308136]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-19 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-25 19456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-10-02 01:36:55 -------- d--h--w- C:\$AVG
2011-10-02 00:06:49 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-10-02 00:06:49 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-10-02 00:06:46 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-10-02 00:06:19 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-02 00:05:56 -------- d-----w- c:\windows\system32\drivers\Avg
2011-10-01 22:25:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-01 21:56:43 -------- d-----w- c:\program files\AVG
2011-10-01 21:56:42 -------- d-----w- c:\programdata\avg9
2011-10-01 20:58:49 388096 ----a-r- c:\users\jeff.kotlaptop\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-01 20:58:48 -------- d-----w- c:\program files\Trend Micro
2011-10-01 20:22:44 -------- d-sh--w- C:\$RECYCLE.BIN
2011-10-01 20:22:44 -------- d-----w- c:\users\jeff.kotlaptop\appdata\local\temp
2011-10-01 20:03:49 -------- d-----w- C:\ComboFix
2011-10-01 17:08:17 256000 ----a-w- c:\windows\PEV.exe
2011-10-01 17:08:17 208896 ----a-w- c:\windows\MBR.exe
2011-10-01 17:08:16 98816 ----a-w- c:\windows\sed.exe
2011-10-01 17:08:16 518144 ----a-w- c:\windows\SWREG.exe
2011-10-01 03:30:58 -------- d-----w- c:\programdata\Malwarebytes
2011-10-01 03:30:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-14 11:23:32 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2011-08-27 14:49:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-11 13:25:35 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
============= FINISH: 8:41:55.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 07 October 2011 - 08:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

p.s.
If AVG still report the infection please post the exact message for my review.

#3 jkotila

jkotila
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 07 October 2011 - 04:38 PM

Thank you for assisting me.

After running the programs you indicated, infection still exists.

combofix log:
ComboFix 11-10-07.04 - jeff 10/07/2011 15:39:06.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1068 [GMT -5:00]
Running from: c:\users\jeff.KOTLAPTOP\Desktop\ComboFix.exe
AV: AVG Anti-Virus *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-07 to 2011-10-07 )))))))))))))))))))))))))))))))
.
.
2011-10-07 20:56 . 2011-10-07 20:57 -------- d-----w- c:\users\jeff.KOTLAPTOP\AppData\Local\temp
2011-10-07 20:56 . 2011-10-07 20:56 -------- d-----w- c:\users\stacy\AppData\Local\temp
2011-10-07 20:56 . 2011-10-07 20:56 -------- d-----w- c:\users\JEFF~1~KOT\AppData\Local\temp
2011-10-07 20:56 . 2011-10-07 20:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-07 20:33 . 2011-10-07 20:33 -------- d-----w- c:\users\jeff.KOTLAPTOP\AppData\Roaming\AVG9
2011-10-07 20:22 . 2011-10-07 20:22 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-10-07 20:22 . 2011-10-07 20:22 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-10-07 20:22 . 2011-10-07 20:22 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-10-07 20:22 . 2011-10-07 20:22 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-10-07 20:22 . 2011-10-07 20:22 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-10-07 20:22 . 2011-10-07 20:22 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-10-07 20:22 . 2011-10-07 20:22 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-10-07 20:22 . 2011-10-07 20:22 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-10-07 20:22 . 2011-10-07 20:22 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-10-07 20:22 . 2011-10-07 20:22 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-10-07 20:22 . 2011-10-07 20:22 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-10-07 20:22 . 2011-10-07 20:22 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-10-07 20:21 . 2011-10-07 20:21 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-10-07 20:21 . 2011-10-07 20:21 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-10-07 20:21 . 2011-10-07 20:21 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-10-07 20:21 . 2011-10-07 20:21 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-10-07 20:21 . 2011-10-07 20:21 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-10-07 16:37 . 2011-10-07 16:37 -------- d-----w- c:\program files\Conduit
2011-10-07 16:37 . 2011-10-07 16:37 -------- d-----w- c:\program files\Coupons.com
2011-10-04 00:28 . 2011-10-04 00:28 -------- d-----w- c:\program files\Resource Hacker
2011-10-03 23:45 . 2011-10-03 23:46 -------- d-----w- c:\users\jeff.KOTLAPTOP\AppData\Roaming\PE Explorer
2011-10-03 23:45 . 2011-10-03 23:45 -------- d-----w- c:\program files\PE Explorer
2011-10-03 11:19 . 2011-10-04 00:19 -------- d-sha-w- c:\users\Public\DRM
2011-10-03 11:18 . 2011-10-03 11:18 -------- d-----w- c:\users\jeff.KOTLAPTOP\AppData\Local\HHD Software
2011-10-03 00:14 . 2011-10-03 00:23 -------- d-----w- C:\sh4ldr
2011-10-03 00:14 . 2011-10-03 00:14 -------- d-----w- c:\program files\Enigma Software Group
2011-10-03 00:13 . 2011-10-03 00:23 -------- d-----w- c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP
2011-10-03 00:03 . 2011-10-03 00:03 -------- d-----w- c:\program files\ESET
2011-10-02 23:09 . 2011-10-03 00:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-02 23:09 . 2011-10-03 00:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-02 13:46 . 2011-10-02 13:46 -------- d-----w- C:\gmer
2011-10-02 01:36 . 2011-10-02 01:36 -------- d-----w- C:\$AVG
2011-10-02 00:06 . 2011-10-02 00:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-10-02 00:06 . 2011-10-02 00:06 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-10-02 00:06 . 2011-10-02 00:06 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-10-02 00:06 . 2011-10-02 00:06 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-02 00:06 . 2011-10-02 00:07 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-10-02 00:05 . 2011-10-02 10:26 -------- d-----w- c:\windows\system32\drivers\Avg
2011-10-01 22:25 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-01 21:56 . 2011-10-01 21:56 -------- d-----w- c:\program files\AVG
2011-10-01 21:56 . 2011-10-02 00:02 -------- d-----w- c:\programdata\avg9
2011-10-01 20:58 . 2011-10-01 20:58 388096 ----a-r- c:\users\jeff.KOTLAPTOP\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-01 20:58 . 2011-10-01 20:58 -------- d-----w- c:\program files\Trend Micro
2011-10-01 03:30 . 2011-10-01 03:30 -------- d-----w- c:\programdata\Malwarebytes
2011-10-01 03:30 . 2011-10-01 22:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-17 18:17 . 2011-09-17 18:18 -------- d-----w- c:\users\Public\Router Flash
2011-09-14 11:23 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-27 14:49 . 2011-05-24 01:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 02:54 . 2011-08-11 12:17 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48 . 2011-08-11 12:17 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44 . 2011-08-11 12:17 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-13 21:52 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-07-11 13:25 . 2011-08-24 11:31 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-01_18.04.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-22 18:56 . 2011-10-07 20:23 66726 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2011-10-07 20:23 87638 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-03 11:57 . 2011-10-06 16:50 18460 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2572065376-322174076-3611740868-1001_UserData.bin
+ 2011-10-03 00:22 . 2011-10-03 00:22 27499 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCall.dll
+ 2010-10-24 16:24 . 2011-10-07 20:23 6586 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2572065376-322174076-3611740868-1006_UserData.bin
- 2011-10-01 18:02 . 2011-10-01 18:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-07 20:21 . 2011-10-07 20:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-07 20:21 . 2011-10-07 20:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-10-01 18:02 . 2011-10-01 18:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-01-04 22:09 . 2011-10-07 11:17 272010 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2007-12-06 10:15 . 2011-10-05 23:06 180224 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-06 10:15 . 2011-10-01 16:56 180224 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-10 02:56 . 2011-10-01 18:01 665980 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-10 02:56 . 2011-10-07 16:44 665980 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-09-25 02:00 . 2011-10-07 16:44 665980 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2572065376-322174076-3611740868-1001-12288.dat
+ 2011-10-03 00:13 . 2011-10-03 00:13 180356 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCalla21.exe
+ 2011-10-03 00:22 . 2011-10-03 00:22 180356 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCalla21.dll
+ 2011-10-03 00:22 . 2011-10-03 00:22 175992 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCalla20.dll
+ 2011-10-03 00:22 . 2011-10-03 00:22 176035 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCalla2.dll
+ 2011-10-03 00:22 . 2011-10-03 00:22 176035 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCalla19.dll
+ 2011-10-03 00:22 . 2011-10-03 00:22 179340 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCalla18.exe
+ 2011-10-03 00:22 . 2011-10-03 00:22 176545 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCalla17.dll
+ 2011-10-03 00:22 . 2011-10-03 00:22 179340 c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP\WiseCustomCalla.dll
- 2007-12-06 10:15 . 2011-10-01 16:56 2670592 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-06 10:15 . 2011-10-05 23:06 2670592 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-06 10:15 . 2011-10-01 16:56 3866624 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-12-06 10:15 . 2011-10-05 23:06 3866624 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-25 02:00 . 2011-10-07 16:44 3890712 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2572065376-322174076-3611740868-1006-8192.dat
+ 2011-05-25 02:00 . 2011-10-02 00:12 1451776 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2572065376-322174076-3611740868-1006-4096.dat
+ 2011-06-06 00:50 . 2011-10-03 00:24 1226964 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2572065376-322174076-3611740868-1006-12288.dat
+ 2011-05-25 02:00 . 2011-10-07 16:44 1349372 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2572065376-322174076-3611740868-1001-8192.dat
+ 2011-05-25 02:00 . 2011-10-07 16:44 5396729 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2572065376-322174076-3611740868-1001-4096.dat
+ 2011-10-01 20:58 . 2011-10-01 20:58 1094656 c:\windows\Installer\93e69.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37153479-1976-43c3-a1ee-557513977b64}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Coupons.com\prxtbCoup.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37153479-1976-43c3-a1ee-557513977b64}"= "c:\program files\Coupons.com\prxtbCoup.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{37153479-1976-43c3-a1ee-557513977b64}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-02 2076512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgAwAEsAVABFAC0ASAA5AFcATQAwAC0ARQBXADAAVgBBAC0AVQBUADIAQwBIAC0ARgBVAEsAUwA3AA&inst=NwA2AC0AOAA3ADAANQAxADMAMQAwADAALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAE4AMQBEACsAMQAtAFAATAArADkALQBDAEkAQQA5ADAAKwAyAC0ARABEAFQAKwAzADUANQAyADUALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAA&prod=92&ver=9.0.902" [?]
.
c:\users\jeff.KOTLAPTOP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 19456]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2011-10-02 52872]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2011-10-02 216400]
S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2011-10-02 243152]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2011-10-02 308136]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 13:26]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 13:26]
.
2011-10-07 c:\windows\Tasks\User_Feed_Synchronization-{43DE2DB8-7366-45A0-944A-61199C46EB04}.job
- c:\windows\system32\msfeedssync.exe [2011-05-15 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>;*.local
Trusted Zone: industrialautomationllc.com\mail
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
DPF: {22CF0C35-80CE-11D3-9354-00105AA793BF} - hxxp://www.immdesign.com/webview/IPAWebView.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-07 15:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-07 16:11:24
ComboFix-quarantined-files.txt 2011-10-07 21:11
ComboFix2.txt 2011-10-01 20:22
ComboFix3.txt 2011-10-01 18:22
.
Pre-Run: 32,991,145,984 bytes free
Post-Run: 33,277,566,976 bytes free
.
- - End Of File - - 932D7EBDD9B2A8CE07596C88639A9C03

Checkup.txt file:

Results of screen317's Security Check version 0.99.21
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
AVG 9.0
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Out of date Java installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


AVG results:

"Object name";"C:\Windows\System32\drivers\smb.sys"
"Detection name";"Trojan horse Agent.6.AG"
"Object type";"file"
"SDK Type";"Core"
"Result";"Object is white-listed (critical/system file that should not be removed)"
"Action history";""


Thanks in advance for you continued assistance to help me get rid of this thing.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 08 October 2011 - 06:24 AM

Your ComboFix log is clean.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5

===

"Object name";"C:\Windows\System32\drivers\smb.sys"
"Detection name";"Trojan horse Agent.6.AG"
"Object type";"file"
"SDK Type";"Core"
"Result";"Object is white-listed (critical/system file that should not be removed)"
"Action history";""


Could be a false positive. Lets check it.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :file
    C:\Windows\System32\drivers\smb.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Post the log for my review.

#5 jkotila

jkotila
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 08 October 2011 - 06:48 AM

I uninstalled old java versions and installed the nw.

Systemlook outpu:
SystemLook 30.07.11 by jpshortstuff
Log created at 06:45 on 08/10/2011 by jeff
Administrator - Elevation successful

========== file ==========

C:\Windows\System32\drivers\smb.sys - File found and opened.
MD5: 716530B86CE51CF4037DD136C57DBDB9
Created at 06:56 on 18/09/2009
Modified at 04:45 on 11/04/2009
Size: 66560 bytes
Attributes: --a----
No version information available.

- Unable to find/read file.

-= EOF =-

AVG resident shield went off when systemlook was running.
Threat detected
accessed file infected

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 08 October 2011 - 09:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

The file is corrupted.
Lets find out if you have a good copy on your Hard Disk.

Run the SystemLook tool again and

Copy and paste the content of the following bold text into the main textfield:
:filefind
smb.sys


* Click the Look button to start the scan.
* When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

p.s.
In case we do not find a good file on the Hard disk can you tell me if you have the Windows XP installation disk.

#7 jkotila

jkotila
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 08 October 2011 - 10:38 AM

result of systemlook

SystemLook 30.07.11 by jpshortstuff
Log created at 10:31 on 08/10/2011 by jeff
Administrator - Elevation successful

========== filefind ==========

Searching for "smb.sys"
C:\Windows\System32\drivers\smb.sys --a---- 66560 bytes [06:56 18/09/2009] [04:45 11/04/2009] 716530B86CE51CF4037DD136C57DBDB9
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys --a---- 66048 bytes [08:57 02/11/2006] [08:57 02/11/2006] AC0D90738ADB51A6FD12FF00874A2162
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys --a---- 66560 bytes [03:38 20/09/2008] [05:55 19/01/2008] 031E6BCD53C9B2B9ACE111EAFEC347B6

Searching for " "
No files found.

-= EOF =-


I do not have the windows vista cds for the machine. I have a set of recovery disks made when I purchased the machine.

thanks

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 08 October 2011 - 12:35 PM

We are in luck. The initial file installed with Vista in available.

Open notepad and copy/paste the text in the quote box below into it:

FMOVE::
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys|C:\Windows\System32\drivers\smb.sys


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#9 jkotila

jkotila
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 08 October 2011 - 04:22 PM

Issue seems to be resolved. Thanks

Only had an issue with combofix. It locked up after it "updated"??

Anyway, ran it again, and the following is the log.

Once again, seems to be fixed.. THANK YOU SOOO MUCH!!!!

ComboFix 11-10-08.04 - jeff 10/08/2011 15:46:42.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1058 [GMT -5:00]
Running from: c:\users\jeff.KOTLAPTOP\Desktop\ComboFix.exe
AV: AVG Anti-Virus *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-08 20:56 . 2011-10-08 20:57 -------- d-----w- c:\users\jeff.KOTLAPTOP\AppData\Local\temp
2011-10-08 20:56 . 2011-10-08 20:56 -------- d-----w- c:\users\stacy\AppData\Local\temp
2011-10-08 20:56 . 2011-10-08 20:56 -------- d-----w- c:\users\JEFF~1~KOT\AppData\Local\temp
2011-10-08 20:56 . 2011-10-08 20:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-08 11:44 . 2011-10-08 11:44 -------- d-----w- c:\program files\Common Files\Java
2011-10-07 20:33 . 2011-10-07 20:33 -------- d-----w- c:\users\jeff.KOTLAPTOP\AppData\Roaming\AVG9
2011-10-07 16:37 . 2011-10-07 16:37 -------- d-----w- c:\program files\Conduit
2011-10-07 16:37 . 2011-10-07 16:37 -------- d-----w- c:\program files\Coupons.com
2011-10-04 00:28 . 2011-10-04 00:28 -------- d-----w- c:\program files\Resource Hacker
2011-10-03 23:45 . 2011-10-03 23:46 -------- d-----w- c:\users\jeff.KOTLAPTOP\AppData\Roaming\PE Explorer
2011-10-03 23:45 . 2011-10-03 23:45 -------- d-----w- c:\program files\PE Explorer
2011-10-03 11:19 . 2011-10-04 00:19 -------- d-sha-w- c:\users\Public\DRM
2011-10-03 11:18 . 2011-10-03 11:18 -------- d-----w- c:\users\jeff.KOTLAPTOP\AppData\Local\HHD Software
2011-10-03 00:14 . 2011-10-03 00:23 -------- d-----w- C:\sh4ldr
2011-10-03 00:14 . 2011-10-03 00:14 -------- d-----w- c:\program files\Enigma Software Group
2011-10-03 00:13 . 2011-10-03 00:23 -------- d-----w- c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP
2011-10-03 00:03 . 2011-10-03 00:03 -------- d-----w- c:\program files\ESET
2011-10-02 23:09 . 2011-10-03 00:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-02 23:09 . 2011-10-03 00:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-02 13:46 . 2011-10-02 13:46 -------- d-----w- C:\gmer
2011-10-02 01:36 . 2011-10-02 01:36 -------- d-----w- C:\$AVG
2011-10-02 00:06 . 2011-10-02 00:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-10-02 00:06 . 2011-10-02 00:06 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-10-02 00:06 . 2011-10-02 00:06 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-10-02 00:06 . 2011-10-02 00:06 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-02 00:06 . 2011-10-02 00:07 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-10-02 00:05 . 2011-10-08 19:34 -------- d-----w- c:\windows\system32\drivers\Avg
2011-10-01 22:25 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-01 21:56 . 2011-10-01 21:56 -------- d-----w- c:\program files\AVG
2011-10-01 21:56 . 2011-10-02 00:02 -------- d-----w- c:\programdata\avg9
2011-10-01 20:58 . 2011-10-01 20:58 388096 ----a-r- c:\users\jeff.KOTLAPTOP\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-01 20:58 . 2011-10-01 20:58 -------- d-----w- c:\program files\Trend Micro
2011-10-01 03:30 . 2011-10-01 03:30 -------- d-----w- c:\programdata\Malwarebytes
2011-10-01 03:30 . 2011-10-01 22:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-17 18:17 . 2011-09-17 18:18 -------- d-----w- c:\users\Public\Router Flash
2011-09-14 11:23 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-08 11:42 . 2010-04-20 21:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-27 14:49 . 2011-05-24 01:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 02:54 . 2011-08-11 12:17 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48 . 2011-08-11 12:17 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44 . 2011-08-11 12:17 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-13 21:52 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-07-11 13:25 . 2011-08-24 11:31 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37153479-1976-43c3-a1ee-557513977b64}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Coupons.com\prxtbCoup.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37153479-1976-43c3-a1ee-557513977b64}"= "c:\program files\Coupons.com\prxtbCoup.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{37153479-1976-43c3-a1ee-557513977b64}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-02 2076512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgAwAEsAVABFAC0ASAA5AFcATQAwAC0ARQBXADAAVgBBAC0AVQBUADIAQwBIAC0ARgBVAEsAUwA3AA&inst=NwA2AC0AOAA3ADAANQAxADMAMQAwADAALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAE4AMQBEACsAMQAtAFAATAArADkALQBDAEkAQQA5ADAAKwAyAC0ARABEAFQAKwAzADUANQAyADUALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAA&prod=92&ver=9.0.902" [?]
.
c:\users\jeff.KOTLAPTOP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 19456]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2011-10-02 52872]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2011-10-02 216400]
S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2011-10-02 243152]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2011-10-02 308136]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 13:26]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 13:26]
.
2011-10-08 c:\windows\Tasks\User_Feed_Synchronization-{43DE2DB8-7366-45A0-944A-61199C46EB04}.job
- c:\windows\system32\msfeedssync.exe [2011-05-15 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>;*.local
Trusted Zone: industrialautomationllc.com\mail
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
DPF: {22CF0C35-80CE-11D3-9354-00105AA793BF} - hxxp://www.immdesign.com/webview/IPAWebView.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-08 15:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-08 16:00:07
ComboFix-quarantined-files.txt 2011-10-08 21:00
ComboFix2.txt 2011-10-08 19:19
ComboFix3.txt 2011-10-07 21:11
ComboFix4.txt 2011-10-01 20:22
ComboFix5.txt 2011-10-08 20:44
.
Pre-Run: 33,585,860,608 bytes free
Post-Run: 33,590,464,512 bytes free
.
- - End Of File - - BC63AE6A23CB3F8EE0ED0CCD47343F72

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 08 October 2011 - 06:18 PM

Glad we could help.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used to clean this computer.

Surf Safely, and Think Prevention!
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 13 October 2011 - 07:15 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users