Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Restore and Google re-directs


  • This topic is locked This topic is locked
11 replies to this topic

#1 tess55

tess55

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 28 October 2011 - 04:36 PM

Hi,

I tried following this guide and after completing step 5, I am still unable to update Malware Bytes, so I'm now creating a topic here as requested. My start menu is absolutely cleared, I have no shortcuts on my desktop and my wallpaper is black. System restore keeps trying to pop-up asking to scan, which I cancel, and a ton of pop-ups saying things like "failed to save all components of \\system32\\[file]" come up. Also I'm getting Google redirects from the search bar in my Firefox browser.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.7930.16406 BrowserJavaVersion: 1.6.0_22
Run by Justin at 17:30:50 on 2011-10-28
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2038.675 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM13Mon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Users\Justin\AppData\Local\Temp\Rar$EX31.257\gmer.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Justin\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\msiexec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/home?AF=15000
uInternet Settings,ProxyServer = http=127.0.0.1:53293
uInternet Settings,ProxyOverride = *.local
uWinlogon: Shell=explorer.exe,c:\users\justin\appdata\roaming\dwm.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [conhost] c:\users\justin\appdata\roaming\microsoft\conhost.exe
uRun: [Facebook Update] "c:\users\justin\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [WKocfFMPaI.exe] c:\programdata\WKocfFMPaI.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UVS12 Preload] c:\program files\corel\corel videostudio 12\uvPL.exe
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\users\justin\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\justin\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\justin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\airmou~1.lnk - c:\program files\air mouse\air mouse\Air Mouse.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
uPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{271DECE3-92FF-4DFC-9400-DAFF984BAAF9} : DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{2AFBF315-7B02-49BC-AC02-768280835898} : DhcpNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\justin\appdata\roaming\mozilla\firefox\profiles\gjnaknhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - Google Images
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Special:Randompage
FF - prefs.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53293
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\justin\appdata\roaming\mozilla\firefox\profiles\gjnaknhh.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPQ00032.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\users\justin\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
.
---- FIREFOX POLICIES ----
.
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
.
============= SERVICES / DRIVERS ===============
.
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-9-20 77824]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-9-21 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-9-21 234888]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-3-9 238592]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-3-9 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-3-9 484352]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-9-20 21504]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-7-29 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-6-12 43608]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-9-20 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-9-20 235840]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-13 133104]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\justin\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\justin\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-13 133104]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-10-28 17:16:13 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{163467d1-235d-471b-9e5b-4a392b837fe1}\offreg.dll
2011-10-28 17:16:05 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{163467d1-235d-471b-9e5b-4a392b837fe1}\mpengine.dll
2011-10-25 01:45:39 502272 -c--a-w- c:\programdata\microsoft\windows\wer\reportqueue\report15110bb5\usp10.dll
2011-10-24 23:49:58 333712 ---ha-w- c:\programdata\6DSS92c31Apgjk.exe
2011-10-24 23:47:29 406416 ---ha-w- c:\programdata\WKocfFMPaI.exe
2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-19 23:37:27 -------- d--h--w- c:\users\justin\appdata\local\Facebook
2011-10-14 00:57:29 -------- d-----w- c:\program files\iPod
2011-10-14 00:46:11 -------- d-----w- c:\program files\Bonjour
2011-10-12 21:49:52 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 21:49:52 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:49:52 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:49:52 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:49:30 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 21:49:30 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 21:49:30 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-12 21:49:30 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 21:47:47 2043392 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-09-04 23:47:03 0 ---ha-w- c:\programdata\yqct.exe
2011-09-04 23:47:03 0 ---ha-w- c:\programdata\qnpk.exe
2011-09-04 23:47:03 0 ---ha-w- c:\programdata\onfu.exe
2011-09-04 23:47:03 0 ---ha-w- c:\programdata\adtu.exe
2011-08-31 03:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
.
============= FINISH: 17:31:34.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 28 October 2011 - 05:53 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image P2P - I see you have P2P software (FrostWire & Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at TSF are complete.

Posted Image Download unhide.exe saving it to your desktop
  • Right click on unhide.exe and select Run as administrator
  • Reboot
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 tess55

tess55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 31 October 2011 - 05:58 PM

ComboFix 11-10-30.04 - Justin 10/31/2011 17:41:51.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2038.678 [GMT -4:00]
Running from: c:\users\Justin\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\6DSS92c31Apgjk.exe
c:\programdata\Roaming
c:\programdata\WKocfFMPaI.exe
c:\users\Justin\AppData\Local\gxeq.exe
c:\users\Justin\AppData\Local\itv.exe
c:\users\Justin\AppData\Local\jrk.exe
c:\users\Justin\AppData\Local\qbdu.exe
c:\users\Justin\AppData\Local\sxfa.exe
c:\users\Justin\AppData\Local\vccr.exe
c:\users\Justin\AppData\Roaming\29C0.56A
c:\users\Justin\AppData\Roaming\Hotbar
c:\users\Justin\AppData\Roaming\Hotbar\Weather\history
c:\users\Justin\AppData\Roaming\Hotbar\Weather\Weather_XML\Default
c:\users\Justin\AppData\Roaming\Hotbar\Weather\Weather_XML\Genera1
c:\users\Justin\AppData\Roaming\Hotbar\Weather\Weather_XML\General
c:\users\Justin\AppData\Roaming\Hotbar\Weather\WeatherDPA\Links
c:\users\Justin\AppData\Roaming\Hotbar\Weather\WeatherDPA\Weather_XML\Display
c:\users\Justin\AppData\Roaming\Hotbar\Weather\WeatherDPA\Weather_XML\Loading
c:\users\Justin\AppData\Roaming\Hotbar\Weather\WeatherDPA\Weather_XML\screen2
c:\users\Justin\AppData\Roaming\Hotbar\Weather\WeatherDPA\WeatherPreferences
c:\users\Justin\AppData\Roaming\Hotbar\Weather\WeatherStartup.xml
c:\users\Justin\AppData\Roaming\Microsoft\conhost.exe
c:\windows\UA000106.DLL
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))
.
.
2011-10-31 21:51 . 2011-10-31 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-31 21:51 . 2011-10-31 21:51 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-10-28 17:16 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{163467D1-235D-471B-9E5B-4A392B837FE1}\mpengine.dll
2011-10-25 01:45 . 2010-04-16 16:46 502272 -c--a-w- c:\programdata\Microsoft\Windows\WER\ReportQueue\Report15110bb5\usp10.dll
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-19 23:37 . 2011-10-19 23:38 -------- d--h--w- c:\users\Justin\AppData\Local\Facebook
2011-10-14 00:57 . 2011-10-14 00:57 -------- d-----w- c:\program files\iPod
2011-10-14 00:46 . 2011-10-14 00:46 -------- d-----w- c:\program files\Bonjour
2011-10-12 21:49 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:49 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:49 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:49 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 21:49 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 21:49 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 21:49 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 21:49 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-12 21:47 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-06 21:19 . 2011-10-06 21:19 -------- d-----w- c:\program files\Apple Software Update
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-04 23:47 . 2011-09-04 23:47 0 ---ha-w- c:\programdata\yqct.exe
2011-09-04 23:47 . 2011-09-04 23:47 0 ---ha-w- c:\programdata\qnpk.exe
2011-09-04 23:47 . 2011-09-04 23:47 0 ---ha-w- c:\programdata\onfu.exe
2011-09-04 23:47 . 2011-09-04 23:47 0 ---ha-w- c:\programdata\adtu.exe
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2008-05-30 15:01 . 2010-01-31 23:41 77824 ----a-w- c:\program files\mozilla firefox\plugins\QVPLUG32.DLL
2011-09-30 17:54 . 2011-07-08 14:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ---ha-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ---ha-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ---ha-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Facebook Update"="c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-19 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-04 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-04 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-04 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-04 133656]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-20 3563520]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-12-14 159744]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-01-08 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-07 1303432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-2-1 505856]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 133104]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
R2 SessionLauncher;SessionLauncher;c:\users\Justin\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 133104]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-02-04 77824]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-03-09 238592]
S2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2011-03-09 1060864]
S2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2011-03-09 484352]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-07-29 51288]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-06-12 43608]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\DRIVERS\OEM13Vfx.sys [2007-03-05 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\DRIVERS\OEM13Vid.sys [2008-05-29 235840]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3548370413-182981021-3849907952-1000Core.job
- c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-19 23:37]
.
2011-10-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3548370413-182981021-3849907952-1000UA.job
- c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-19 23:37]
.
2011-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 01:56]
.
2011-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 01:56]
.
2011-10-31 c:\windows\Tasks\Norton Security Scan for Justin.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-21 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home?AF=15000
uInternet Settings,ProxyServer = http=127.0.0.1:53293
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\gjnaknhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Special:Randompage
FF - prefs.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53293
FF - prefs.js: network.proxy.type - 0
FF - user.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
HKCU-Run-conhost - c:\users\Justin\AppData\Roaming\Microsoft\conhost.exe
HKCU-Run-WKocfFMPaI.exe - c:\programdata\WKocfFMPaI.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1688)
c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2011-10-31 18:35:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-31 22:33
.
Pre-Run: 97,975,468,032 bytes free
Post-Run: 100,979,232,768 bytes free
.
- - End Of File - - F221AEB030DEC741F757361CA6AA2A47

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 31 October 2011 - 06:42 PM

tess55:

Please do this next:
Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:53293
uInternet Settings,ProxyOverride = *.local
Firefox::
FF - ProfilePath - c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\gjnaknhh.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53293

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 tess55

tess55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 31 October 2011 - 07:19 PM

I did the first step (everything regarding ComboFix) correctly. The log is posted below.


However, I could not get Malwarebytes to update. I clicked the update tab, clicked check for updates. A pop-up said "connecting to malwarebytes.org" for about two seconds, before an error pop-up arose. I received the error code: 732 (0,0) . My current database version is 3510 (date:1/7/2010).

ComboFix 11-10-30.04 - Justin 10/31/2011 20:02:21.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2038.1089 [GMT -4:00]
Running from: c:\users\Justin\Desktop\ComboFix.exe
Command switches used :: c:\users\Justin\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-10-01 to 2011-11-01 )))))))))))))))))))))))))))))))
.
.
2011-11-01 00:09 . 2011-11-01 00:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-01 00:09 . 2011-11-01 00:09 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-10-28 17:16 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{163467D1-235D-471B-9E5B-4A392B837FE1}\mpengine.dll
2011-10-25 01:45 . 2010-04-16 16:46 502272 -c--a-w- c:\programdata\Microsoft\Windows\WER\ReportQueue\Report15110bb5\usp10.dll
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-19 23:37 . 2011-10-19 23:38 -------- d-----w- c:\users\Justin\AppData\Local\Facebook
2011-10-14 00:57 . 2011-10-14 00:57 -------- d-----w- c:\program files\iPod
2011-10-14 00:46 . 2011-10-14 00:46 -------- d-----w- c:\program files\Bonjour
2011-10-12 21:49 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:49 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:49 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:49 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 21:49 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 21:49 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 21:49 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 21:49 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-12 21:47 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-06 21:19 . 2011-10-06 21:19 -------- d-----w- c:\program files\Apple Software Update
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-04 23:47 . 2011-09-04 23:47 0 ----a-w- c:\programdata\yqct.exe
2011-09-04 23:47 . 2011-09-04 23:47 0 ----a-w- c:\programdata\qnpk.exe
2011-09-04 23:47 . 2011-09-04 23:47 0 ----a-w- c:\programdata\onfu.exe
2011-09-04 23:47 . 2011-09-04 23:47 0 ----a-w- c:\programdata\adtu.exe
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2008-05-30 15:01 . 2010-01-31 23:41 77824 ----a-w- c:\program files\mozilla firefox\plugins\QVPLUG32.DLL
2011-09-30 17:54 . 2011-07-08 14:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Facebook Update"="c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-19 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-04 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-04 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-04 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-04 133656]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-20 3563520]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-12-14 159744]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-01-08 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-07 1303432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-2-1 505856]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 133104]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
R2 SessionLauncher;SessionLauncher;c:\users\Justin\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 133104]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-02-04 77824]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-03-09 238592]
S2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2011-03-09 1060864]
S2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2011-03-09 484352]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-07-29 51288]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-06-12 43608]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\DRIVERS\OEM13Vfx.sys [2007-03-05 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\DRIVERS\OEM13Vid.sys [2008-05-29 235840]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3548370413-182981021-3849907952-1000Core.job
- c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-19 23:37]
.
2011-10-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3548370413-182981021-3849907952-1000UA.job
- c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-19 23:37]
.
2011-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 01:56]
.
2011-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 01:56]
.
2011-10-31 c:\windows\Tasks\Norton Security Scan for Justin.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-21 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home?AF=15000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\gjnaknhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Special:Randompage
FF - prefs.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-31 20:09
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1684)
c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2011-10-31 20:12:43
ComboFix-quarantined-files.txt 2011-11-01 00:12
ComboFix2.txt 2011-10-31 22:35
.
Pre-Run: 101,572,497,408 bytes free
Post-Run: 101,545,992,192 bytes free
.
- - End Of File - - 1E68DF6D3E61E66C3487C2BB2DB9A023

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 31 October 2011 - 07:28 PM

tess55:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://www.bleepingcomputer.com/forums/topic425474.html
Collect::
c:\programdata\yqct.exe
c:\programdata\qnpk.exe
c:\programdata\onfu.exe
c:\programdata\adtu.exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Uninstall Malwarebytes via Control Panel > Add/Remove Programs
  • Reboot
  • Download the Malwarebytes Removal Tool
  • Double click on the utility to run it
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here and try updating and scanning again

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 tess55

tess55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 03 November 2011 - 01:34 AM

I've had a blue screen crash the 6+ times I've tried to scan with MBAM. Any help with that would be appreciated.

My CF log is posted below.

ComboFix 11-10-30.04 - Justin 10/31/2011 20:43:17.3.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2038.984 [GMT -4:00]
Running from: c:\users\Justin\Desktop\ComboFix.exe
Command switches used :: c:\users\Justin\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
file zipped: c:\programdata\adtu.exe
file zipped: c:\programdata\onfu.exe
file zipped: c:\programdata\qnpk.exe
file zipped: c:\programdata\yqct.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\adtu.exe
c:\programdata\onfu.exe
c:\programdata\qnpk.exe
c:\programdata\yqct.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-01 to 2011-11-01 )))))))))))))))))))))))))))))))
.
.
2011-11-01 00:50 . 2011-11-01 00:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-01 00:50 . 2011-11-01 00:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-10-28 17:16 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{163467D1-235D-471B-9E5B-4A392B837FE1}\mpengine.dll
2011-10-25 01:45 . 2010-04-16 16:46 502272 -c--a-w- c:\programdata\Microsoft\Windows\WER\ReportQueue\Report15110bb5\usp10.dll
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-19 23:37 . 2011-10-19 23:38 -------- d-----w- c:\users\Justin\AppData\Local\Facebook
2011-10-14 00:57 . 2011-10-14 00:57 -------- d-----w- c:\program files\iPod
2011-10-14 00:46 . 2011-10-14 00:46 -------- d-----w- c:\program files\Bonjour
2011-10-12 21:49 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:49 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:49 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:49 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 21:49 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 21:49 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 21:49 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 21:49 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-12 21:47 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-06 21:19 . 2011-10-06 21:19 -------- d-----w- c:\program files\Apple Software Update
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2008-05-30 15:01 . 2010-01-31 23:41 77824 ----a-w- c:\program files\mozilla firefox\plugins\QVPLUG32.DLL
2011-09-30 17:54 . 2011-07-08 14:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Facebook Update"="c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-19 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-04 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-04 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-04 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-04 133656]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-20 3563520]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-12-14 159744]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-01-08 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-07 1303432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-2-1 505856]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 133104]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
R2 SessionLauncher;SessionLauncher;c:\users\Justin\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 133104]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-02-04 77824]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-03-09 238592]
S2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2011-03-09 1060864]
S2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2011-03-09 484352]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-07-29 51288]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-06-12 43608]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\DRIVERS\OEM13Vfx.sys [2007-03-05 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\DRIVERS\OEM13Vid.sys [2008-05-29 235840]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3548370413-182981021-3849907952-1000Core.job
- c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-19 23:37]
.
2011-10-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3548370413-182981021-3849907952-1000UA.job
- c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-19 23:37]
.
2011-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 01:56]
.
2011-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 01:56]
.
2011-10-31 c:\windows\Tasks\Norton Security Scan for Justin.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-21 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home?AF=15000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\gjnaknhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Special:Randompage
FF - prefs.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-31 21:34
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2296)
c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-10-31 21:36:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-01 01:36
ComboFix2.txt 2011-11-01 00:12
ComboFix3.txt 2011-10-31 22:35
.
Pre-Run: 101,550,854,144 bytes free
Post-Run: 101,644,386,304 bytes free
.
- - End Of File - - 992C65187F030B47DB8B4D331AB6ECCD
Upload was successful

#8 tess55

tess55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 03 November 2011 - 01:37 AM

I'm getting a blue screen crash each time (more than 6) I run MBAM. It doesn't happen right away (more than 30 minutes after I start the scan). So I don't have any log... any help would be appreciated.

I do, however, have my combofix log:

ComboFix 11-10-30.04 - Justin 10/31/2011 20:43:17.3.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2038.984 [GMT -4:00]
Running from: c:\users\Justin\Desktop\ComboFix.exe
Command switches used :: c:\users\Justin\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
file zipped: c:\programdata\adtu.exe
file zipped: c:\programdata\onfu.exe
file zipped: c:\programdata\qnpk.exe
file zipped: c:\programdata\yqct.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\adtu.exe
c:\programdata\onfu.exe
c:\programdata\qnpk.exe
c:\programdata\yqct.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-01 to 2011-11-01 )))))))))))))))))))))))))))))))
.
.
2011-11-01 00:50 . 2011-11-01 00:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-01 00:50 . 2011-11-01 00:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-10-28 17:16 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{163467D1-235D-471B-9E5B-4A392B837FE1}\mpengine.dll
2011-10-25 01:45 . 2010-04-16 16:46 502272 -c--a-w- c:\programdata\Microsoft\Windows\WER\ReportQueue\Report15110bb5\usp10.dll
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-19 23:37 . 2011-10-19 23:38 -------- d-----w- c:\users\Justin\AppData\Local\Facebook
2011-10-14 00:57 . 2011-10-14 00:57 -------- d-----w- c:\program files\iPod
2011-10-14 00:46 . 2011-10-14 00:46 -------- d-----w- c:\program files\Bonjour
2011-10-12 21:49 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:49 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:49 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:49 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 21:49 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 21:49 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 21:49 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 21:49 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-12 21:47 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-06 21:19 . 2011-10-06 21:19 -------- d-----w- c:\program files\Apple Software Update
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2008-05-30 15:01 . 2010-01-31 23:41 77824 ----a-w- c:\program files\mozilla firefox\plugins\QVPLUG32.DLL
2011-09-30 17:54 . 2011-07-08 14:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Facebook Update"="c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-19 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-04 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-04 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-04 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-04 133656]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-20 3563520]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-12-14 159744]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-01-08 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-07 1303432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-2-1 505856]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 133104]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
R2 SessionLauncher;SessionLauncher;c:\users\Justin\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 133104]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-02-04 77824]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-03-09 238592]
S2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2011-03-09 1060864]
S2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2011-03-09 484352]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-07-29 51288]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-06-12 43608]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\DRIVERS\OEM13Vfx.sys [2007-03-05 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\DRIVERS\OEM13Vid.sys [2008-05-29 235840]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3548370413-182981021-3849907952-1000Core.job
- c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-19 23:37]
.
2011-10-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3548370413-182981021-3849907952-1000UA.job
- c:\users\Justin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-19 23:37]
.
2011-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 01:56]
.
2011-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 01:56]
.
2011-10-31 c:\windows\Tasks\Norton Security Scan for Justin.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-21 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home?AF=15000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\gjnaknhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15000
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Special:Randompage
FF - prefs.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: keyword.URL - hxxp://www.tepela.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=yLapB7GC&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-31 21:34
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2296)
c:\users\Justin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-10-31 21:36:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-01 01:36
ComboFix2.txt 2011-11-01 00:12
ComboFix3.txt 2011-10-31 22:35
.
Pre-Run: 101,550,854,144 bytes free
Post-Run: 101,644,386,304 bytes free
.
- - End Of File - - 992C65187F030B47DB8B4D331AB6ECCD
Upload was successful

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 03 November 2011 - 06:54 PM

Do you happen to notice what exactly MBAM is doing when it BSODs? Other than that problem, how is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 tess55

tess55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 08 November 2011 - 08:01 PM

My computer's running better now. Not getting any pop-ups at startup and haven't seen anything from System Restore for a while. Icons are back on my desktop, I can re-add icons to the bar directly to the right of my start button and in the start menu.

I'm posting this without my ESET log because there have been two occasions where I've tried to run it, and it has crashed, like MBAM. Like MBAM, I'm not sure what it's doing when it BSODs, but I do notice that as I run these programs, everything becomes VERY slow. Thus, when I'm scanning I close everything else and let it work -- which obviously isn't enough. I can post a BSOD log if that will help anything. Thankfully, unlike MBAM, ESET resumes the scan where it left off before the crash. I'll have the ESET log to you whenever it completes.

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 08 November 2011 - 09:40 PM

Thanks for the update - just so I'm clear, you're only having trouble when you try to run scans now, is that right?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 14 November 2011 - 10:49 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users