Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP 2012 virus then computer will not boot


  • This topic is locked This topic is locked
21 replies to this topic

#1 johnpsyc

johnpsyc

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 04 December 2011 - 09:23 AM

I caught the XP Security 2012 virus. I use Microsoft Security Essentials. I'm not sure if it cleaned the virus, though it asked if I wanted it to do so. It did say it cleaned something (didn't get the name) and told me to restart the computer. I did and now on every restart I get a blue screen which says the program encountered a problem and Windows has shut down to protect the unit. I get this message in regular startup, and all the safe mode startups.

I am writing this on another computer (obviously).

Any help is appreciated.

john

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:24 AM

Posted 05 December 2011 - 07:54 PM

Operating System, please?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:24 AM

Posted 05 December 2011 - 10:52 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 johnpsyc

johnpsyc
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 06 December 2011 - 06:15 AM

XP home edition sp3

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:24 AM

Posted 06 December 2011 - 10:11 AM

:welcome:

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Once this process is completed, download Dumpit by noahdfear to the USB drive.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Confirm that you see the file dumpit in your USB drive and double click on it.
  • After it has finished a report will be located in your USB drive named mbr.zip
  • Plug the USB back into the clean computer post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.zip file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 johnpsyc

johnpsyc
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 06 December 2011 - 10:19 PM

Ok, will do it. May take a day as I need to buy a clean flash drive.

thanks.

john

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:24 AM

Posted 06 December 2011 - 10:29 PM

:thumbup2: :thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 johnpsyc

johnpsyc
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 07 December 2011 - 08:03 PM

I downloaded all the files and went to boot as you said. On the screen that asked if I wanted to boot in safe mode, etc. I scrolled up to "last successful configuration" and lo, and behold! it booted normally, though slowly.

So the unit is running and I am online typing this reply with the computer. I still get the XP security virus gumming up the works.

So I'm not sure if the boot problem is solved or not, but it started successfully a number of times already. I would like to get rid of the virus, if you can help. keep getting pop up warnings and the system is very slow.

Let me know what to do next.

Thanks.

John

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:24 AM

Posted 07 December 2011 - 10:02 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 johnpsyc

johnpsyc
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 09 December 2011 - 08:16 PM

Combofixlog:

ComboFix 11-12-09.03 - John 12/09/2011 17:51:08.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.942 [GMT -7:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\$NtUninstallKB47254$
c:\windows\$NtUninstallKB47254$\2270028088
c:\windows\$NtUninstallKB47254$\3525077642\@
c:\windows\$NtUninstallKB47254$\3525077642\bckfg.tmp
c:\windows\$NtUninstallKB47254$\3525077642\cfg.ini
c:\windows\$NtUninstallKB47254$\3525077642\Desktop.ini
c:\windows\$NtUninstallKB47254$\3525077642\keywords
c:\windows\$NtUninstallKB47254$\3525077642\kwrd.dll
c:\windows\$NtUninstallKB47254$\3525077642\L\pwgcqytx
c:\windows\$NtUninstallKB47254$\3525077642\lsflt7.ver
c:\windows\$NtUninstallKB47254$\3525077642\U\00000001.@
c:\windows\$NtUninstallKB47254$\3525077642\U\00000002.@
c:\windows\$NtUninstallKB47254$\3525077642\U\00000004.@
c:\windows\$NtUninstallKB47254$\3525077642\U\80000000.@
c:\windows\$NtUninstallKB47254$\3525077642\U\80000004.@
c:\windows\$NtUninstallKB47254$\3525077642\U\80000032.@
c:\windows\CSC\d6
c:\windows\system32\c_72657.nls
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
.
.
2011-12-10 00:47 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-12-10 00:47 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-12-10 00:42 . 2011-12-10 00:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-12-04 12:54 . 2008-04-13 21:36 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-04 12:54 . 2008-04-13 21:36 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-04 12:53 . 2011-12-04 12:53 41680 ----a-w- c:\windows\system32\drivers\ckqdxqpj.sys
2011-12-04 12:53 . 2011-12-04 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\cickopnqn
2011-12-04 12:53 . 2011-12-04 12:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2009-09-27 20:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-06 11:00 . 2011-06-24 14:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2011-09-26 18:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-10 02:13 . 2011-06-23 03:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-05-18 4706208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
"CreoLab"="c:\documents and settings\All Users\Application Data\cickopnqn\zn.exe" [2011-12-04 3666432]
.
c:\documents and settings\John\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter4.exe"=
"c:\\Documents and Settings\\John\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Documents and Settings\\John\\My Documents\\Downloads\\123.exe"=
"c:\\Program Files\\McAfee Security Scan\\2.0.181\\mcuicnt.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool10\\ENEasyApp.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [6/22/2011 6:01 PM 53816]
R1 RapportCerberus_26762;RapportCerberus_26762;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [6/13/2011 5:42 AM 57144]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [6/22/2011 6:01 PM 66360]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [6/22/2011 6:01 PM 158904]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [7/23/2011 4:44 PM 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [7/23/2011 4:44 PM 121856]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [9/27/2009 2:24 PM 192896]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE --> c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 219136]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [7/23/2011 2:24 PM 233472]
.
Contents of the 'Scheduled Tasks' folder
.
2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1604221776-839522115-1003Core.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 01:47]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1604221776-839522115-1003UA.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 01:47]
.
2011-12-10 c:\windows\Tasks\User_Feed_Synchronization-{9AB4DBD9-595F-4530-872C-D55F7D27E287}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\m31mwbqd.default\
FF - prefs.js: browser.startup.homepage - hxxps://idm.west.cox.net/coxlogin/ui/webmail?TARGET=-SM-https%3A%2F%2Fwebmail.west.cox.net
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-09 18:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1536)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-09 18:13:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-10 01:13
ComboFix2.txt 2011-07-23 19:19
.
Pre-Run: 56,792,227,840 bytes free
Post-Run: 57,265,807,360 bytes free
.
- - End Of File - - 788152FF4CF0A821AC00862913F6B71B

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:24 AM

Posted 09 December 2011 - 09:39 PM

Lets check for remnants.

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Lets try ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 johnpsyc

johnpsyc
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 10 December 2011 - 07:41 AM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8346

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/10/2011 4:17:50 AM
mbam-log-2011-12-10 (04-17-50).txt

Scan type: Quick scan
Objects scanned: 157739
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CreoLab (Heuristics.Shuriken) -> Value: CreoLab -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ah\Content Type (Rogue.MultipleAV) -> Value: Content Type -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\John\Local Settings\Application Data\kxv.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\cickopnqn\zn.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.




ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=20dbc03aa23b7d49951f6de52e53dfa7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-16 05:41:36
# local_time=2011-07-15 10:41:36 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=67394
# found=26
# cleaned=0
# scan_time=4784
C:\Documents and Settings\John\Application Data\AVG\Rescue\PC Tuneup 2011\101205111314781.rsc multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\11\13bc228b-7058a5bc a variant of Java/TrojanDownloader.OpenStream.NBG trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\55\10a506b7-2d6a3171 a variant of Java/Exploit.CVE-2010-4452.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\63\4a5bb93f-2eaceb5e multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Bonjour\mDNSResponder.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Common Files\LightScribe\LSSrvc.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\iPod\bin\iPodService.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Java\jre6\bin\jqs.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP318\A0054006.ini a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP318\A0054040.ini a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP318\A0054128.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP319\A0054144.rbf Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP320\A0054169.ini a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP321\A0054213.ini a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP321\A0054274.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP321\A0054301.ini a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP321\A0054430.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP321\A0054436.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP321\A0054448.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP321\A0054455.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{AD3279BB-4E70-482C-899E-313ED0BBDEB6}\RP321\A0054470.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\ati2evxx.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
${Memory} Win32/Patched.HN trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=20dbc03aa23b7d49951f6de52e53dfa7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-23 02:08:48
# local_time=2011-07-22 07:08:48 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777191 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=62686
# found=3
# cleaned=0
# scan_time=5512
C:\Documents and Settings\John\Application Data\AVG\Rescue\PC Tuneup 2011\101205111314781.rsc multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\11\13bc228b-7058a5bc a variant of Java/TrojanDownloader.OpenStream.NBG trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\63\4a5bb93f-2eaceb5e Java/Agent.AC trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=20dbc03aa23b7d49951f6de52e53dfa7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-10 12:36:14
# local_time=2011-12-10 05:36:14 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 11805138 11805138 0 0
# scanned=72377
# found=4
# cleaned=0
# scan_time=3928
C:\Documents and Settings\John\Application Data\AVG\Rescue\PC Tuneup 2011\101205111314781.rsc multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\10\a8769ca-7234aebc a variant of Java/Agent.DN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\m31mwbqd.default\Cache\4\82\0E652d01 JS/Kryptik.DZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir a variant of Win32/Rootkit.Kryptik.FW trojan (unable to clean) 00000000000000000000000000000000 I

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:24 AM

Posted 10 December 2011 - 12:01 PM

I wouldn't be concern with the findings in the System Volume Information folder. That can be fix later resetting System Restore.

Lets empty the temp folders first.

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Then lest check the other files ESET claims are patched.

Download the enclosed file. [attachment=113598:CFScript.txt]

Save it next to Combofix.

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

If the upload fails, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 johnpsyc

johnpsyc
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 10 December 2011 - 01:32 PM

Below is the 2nd combofix log.

Tried to upload the Quarantine file to the link you provided, but the error message says the file was too large. I believe this was a folder I tried to upload, not a file. Once in the zip folder, I don't see any zipped file. I am unsure of the filename, so didn't try to upload anything else. If you know what the file name should be I'll do it when I get it.

Also not sure what you mean by the link (at bottom of your last message).

john

ComboFix 11-12-10.01 - John 12/10/2011 10:59:17.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.797 [GMT -7:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
.
file zipped: c:\documents and settings\John\Application Data\AVG\Rescue\PC Tuneup 2011\101205111314781.rsc
file zipped: c:\program files\Bonjour\mDNSResponder.exe
file zipped: c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
file zipped: c:\program files\Common Files\LightScribe\LSSrvc.exe
file zipped: c:\program files\iPod\bin\iPodService.exe
file zipped: c:\program files\Java\jre6\bin\jqs.exe
file zipped: c:\windows\system32\ati2evxx.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
.
.
2011-12-10 11:05 . 2011-12-10 11:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 11:05 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 00:47 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-12-10 00:47 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-12-10 00:42 . 2011-12-10 00:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-12-04 12:54 . 2008-04-13 21:36 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-04 12:54 . 2008-04-13 21:36 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-04 12:53 . 2011-12-04 12:53 41680 ----a-w- c:\windows\system32\drivers\ckqdxqpj.sys
2011-12-04 12:53 . 2011-12-10 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\cickopnqn
2011-12-04 12:53 . 2011-12-04 12:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2009-09-27 20:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-06 11:00 . 2011-06-24 14:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2011-09-26 18:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-10 02:13 . 2011-06-23 03:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-10_01.08.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-10 13:21 . 2011-12-10 13:21 301056 c:\windows\Installer\6f555c.msi
+ 2011-12-10 11:10 . 2011-12-10 11:10 229376 c:\windows\ERDNT\AutoBackup\12-10-2011\Users\00000002\UsrClass.dat
+ 2011-12-10 11:10 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\12-10-2011\ERDNT.EXE
+ 2011-12-10 11:10 . 2011-12-10 11:10 4382720 c:\windows\ERDNT\AutoBackup\12-10-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-05-18 4706208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\John\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter4.exe"=
"c:\\Documents and Settings\\John\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Documents and Settings\\John\\My Documents\\Downloads\\123.exe"=
"c:\\Program Files\\McAfee Security Scan\\2.0.181\\mcuicnt.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool10\\ENEasyApp.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [6/22/2011 6:01 PM 53816]
R1 RapportCerberus_26762;RapportCerberus_26762;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [6/13/2011 5:42 AM 57144]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [6/22/2011 6:01 PM 66360]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [6/22/2011 6:01 PM 158904]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [7/23/2011 4:44 PM 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [7/23/2011 4:44 PM 121856]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [9/27/2009 2:24 PM 192896]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE --> c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 219136]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [7/23/2011 2:24 PM 233472]
.
Contents of the 'Scheduled Tasks' folder
.
2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1604221776-839522115-1003Core.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 01:47]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1604221776-839522115-1003UA.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 01:47]
.
2011-12-10 c:\windows\Tasks\User_Feed_Synchronization-{9AB4DBD9-595F-4530-872C-D55F7D27E287}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\m31mwbqd.default\
FF - prefs.js: browser.startup.homepage - hxxps://idm.west.cox.net/coxlogin/ui/webmail?TARGET=-SM-https%3A%2F%2Fwebmail.west.cox.net
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-10 11:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4028)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-10 11:12:27
ComboFix-quarantined-files.txt 2011-12-10 18:12
ComboFix2.txt 2011-12-10 01:13
ComboFix3.txt 2011-07-23 19:19
.
Pre-Run: 57,302,695,936 bytes free
Post-Run: 57,268,637,696 bytes free
.
- - End Of File - - 3DA443FB830197C8ED41D1D943BDB3A0

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:24 AM

Posted 10 December 2011 - 04:52 PM

Perhaps is too large when zipped together. You may want to upload these one by one here.

These are the files:

c:\documents and settings\John\Application Data\AVG\Rescue\PC Tuneup 2011\101205111314781.rsc
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ati2evxx.exe

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users