Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious Win32:MBRoot, Malware Infection


  • This topic is locked This topic is locked
69 replies to this topic

#1 dstix11

dstix11

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 14 December 2011 - 11:46 PM

Hello BC,
I was advised to post my scan results to this forum after following the steps given in the Preparation Guide. Below is my original posting of issues in the "Am I Infected? What Do I Do?" forum, followed by the DDS log and other attachments.

ORIGINAL POSTING:
Current Issues:
1. Microsoft Updates - use to work, now the icon appears for a brief second on boot-up then disappears...like its being blocked by another program that's loading or something?? (Haven't been able to update in months)
2. Other Updates - use to get Adobe Flash, Java and other pop up program updates (Haven't seen those in awhile)
3. Malwarebytes throws an error when running (not sure ? it is - I have to push "Don't Send"). Did a re-install of MBAM and still have intermittent issues during scans.
4. Browser redirects occasionally...perhaps because of Firefox add-ons (AdBlock Plus & NoScript)??
5. Extremely slow system boot up with screen flashes occasionally (sometimes takes 7-10 minutes to load tray icons and connect to the internet)
Past Issues:
1. Malwarebytes detected PUM.BAD.PROXY 3 days in a row (quarantined & deleted but continued to return). I don't use a proxy and web searches are useless for that specific virus.
2. Avast! detected Win32:Agent.AIFY.Trj in C:\hiberfil.sys during boot time scan (I disabled hibernation and that problem went away and hasn't returned). :thumbup2: Avast! forums seemed to indicate that can be a false positive perhaps..
3. Avast! also detected several Java:Agent-AEH[Expl] and JSON\Threadparser.class viruses during scans in the past (ALL those have been deleted by Avast! successfully and have not returned) :thumbup2:
**Please Note - All anti-virus, spyware and malware programs are on a daily schedule and always up to date. I also use additional protection (listed below).


LATEST POSTING RESULTS:
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by DRUMZ at 16:25:36 on 2011-12-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.739 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\WINDOWS\sttray.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FreeBar\FreeBar.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [FreeBar] "c:\program files\freebar\FreeBar.exe"
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IDTSysTrayApp] sttray.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6E38BF2C-DD35-403E-8FB4-C72192A74793} : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\drumz\application data\mozilla\firefox\profiles\6kl4ylu1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\drumz\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 89215402;89215402 Boot Guard Driver;c:\windows\system32\drivers\89215402.sys [2011-1-27 37392]
R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\system32\drivers\CLBStor.sys [2010-12-7 10368]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-2-16 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-2-16 15856]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-12-5 752128]
R1 89215401;89215401;c:\windows\system32\drivers\89215401.sys [2011-1-27 128016]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-11 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-11 314456]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2010-7-14 244608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-2-16 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R1 setup_9.0.0.722_27.01.2011_10-48drv;setup_9.0.0.722_27.01.2011_10-48drv;c:\windows\system32\drivers\8921540.sys [2011-1-27 315408]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-12-5 3246040]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-11 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-11 44768]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDFR.sys [2010-12-7 154368]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-11 366152]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-12-5 167968]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-11 22216]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-6-10 19056]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-25 136176]
S2 LxrSII1d;Secure II Driver;\??\c:\windows\system32\drivers\lxrsii1d.sys --> c:\windows\system32\drivers\LxrSII1d.sys [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-25 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\224.tmp --> c:\windows\system32\224.tmp [?]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-12-9 27064]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-7-19 11520]
.
=============== Created Last 30 ================
.
2011-12-12 05:16:40 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-12 05:16:03 41184 ----a-w- c:\windows\avastSS.scr
2011-12-12 05:15:46 -------- d-----w- c:\program files\AVAST Software
2011-12-12 05:15:46 -------- d-----w- c:\documents and settings\all users\application data\Alwil Software
2011-12-12 00:47:03 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-12 00:46:57 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-12 00:46:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-11 22:51:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-11 22:51:48 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-11 22:50:08 -------- d-----w- c:\program files\common files\PC Tools
2011-12-11 22:50:06 -------- d-----w- c:\documents and settings\drumz\application data\TestApp
2011-12-09 00:15:03 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-12-08 20:58:54 -------- d-----w- c:\program files\FireTrust
2011-12-08 20:58:54 -------- d-----w- c:\documents and settings\drumz\application data\MailWasherFree
2011-12-08 19:55:00 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
2011-12-08 19:54:43 -------- d-----w- c:\program files\Security Task Manager
2011-12-08 04:20:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-08 04:20:54 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-12-08 03:34:39 -------- d-----w- c:\documents and settings\drumz\application data\Javacool Software
2011-12-08 03:27:30 -------- d-----w- c:\program files\EULAlyzer
2011-12-05 21:50:21 167968 ----a-w- c:\windows\system32\drivers\afcdp.sys
2011-12-05 21:50:02 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-12-05 21:49:49 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-12-05 21:49:33 170528 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-12-05 20:01:08 -------- d-----w- c:\documents and settings\drumz\application data\WinPatrol
2011-12-05 20:00:14 -------- d-----w- c:\program files\BillP Studios
2011-12-05 20:00:13 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2011-12-04 01:19:18 -------- d-----w- c:\documents and settings\all users\application data\vsosdk
2011-12-03 05:08:29 -------- d-----w- c:\program files\VSO
2011-11-30 16:50:31 -------- d-----w- c:\program files\Unlocker
2011-11-28 01:37:14 -------- d-----w- c:\program files\iPod
2011-11-28 01:36:56 -------- d-----w- c:\program files\iTunes
2011-11-28 01:27:33 -------- d-----w- c:\program files\Bonjour
2011-11-26 21:33:10 139264 ----a-w- c:\windows\system32\LxrSII1.dll
2011-11-26 21:33:10 -------- d-----w- c:\documents and settings\drumz\local settings\application data\Lexar Media
2011-11-26 06:43:20 21768 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS
2011-11-26 00:54:35 266360 ----a-w- c:\windows\system32\TweakUI.exe
2011-11-16 22:22:16 -------- d-----w- c:\documents and settings\drumz\application data\TechSmith
.
==================== Find3M ====================
.
2011-11-13 00:09:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ------w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 16:29:27.09 ===============

I hope this is the right information required to assist me..

Thank you BleepingComputer,
[System] WINXP Pro SP3, Windows Firewall, Malwarebytes, Super Anti-Spyware, Avast!, WinPatrol, SpywareBlaster, NoScript, AdBlock Plus

Forgot the attachments...

Thanks,

DDS "Attach.Txt"

Edited by boopme, 16 December 2011 - 02:31 PM.

regards, dstix11
 

2t17.jpg


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,631 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 PM

Posted 21 December 2011 - 11:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/432526 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:45 PM

Posted 21 December 2011 - 12:48 PM

Hello dstix11,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 dstix11

dstix11
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 22 December 2011 - 03:55 PM

Hi fireman4it,

Thank you for assisting me with malware removal. My kid uses the computer alot while I'm away on business and sometimes I can't always keep up with what goes on...
That being said, I have followed your instructions. There were no findings with TDSSKiller, therefore no log file. ComboFix ran successfully and the log file is pasted below. Also I was instructed by HelpBot to rescan DDS and GMER before you replied. Let me know if you need those latest logs and I will attach them.


Couple of quick questions/comments for you:
1. After running ComboFix, the program WinPatrol popped up with an alert that the HOSTS file has changed (c:\windows\system32\drivers\etc\hosts) which upon further review looks like somthinge from the program SpyBot Search & Destroy. The "New" file shows the local host ip address ONLY, the "Old" file had alot of websites in it. DO I ACCEPT THIS CHANGE?? I also hear ALOT of loud hard drive grinding, kinda like there's still something going on.

2. Malwarebytes is acting very strange lately. It recently did a database definition update from "build 8***" to "911122101". Not sure if that is normal? The program continues to cause an error when on auto scheduler scan and has to close. Definitions seem to update but doesn't always complete its scans from scheduler time. It also continues to find & quarantine PUM.BAD.PROXY virus - latest happened on 12/13/11.

3. Since my original post in this topic on 12/15/11, SuperAntiSyware updated to a new database version yesterday 12-21-11, Windows Update crept through and installed on 12-18-11 (but this was the first time in many months), Adobe Update finally crept through yesterday 12-21-11 (but I already had the latest Reader X 10.1.1 - not sure what it updated)?

****Both 2. & 3. happened AFTER initially running GMER & DDS on 12/14/11 (weird how that triggered the updates), but I still see the Windows Update icon for a quick flash in the tray on restarts sometimes, but doesn't stay to do it. IF I have to re-install these scanners, can you please tell me how to thoroughly remove the old ones to create fresh installs so I don't run into quirks like described again?


4. I have a couple of external HD's and wanted to know the best method for scanning those for infections? Should I use ALL protection programs I have (AV,SASP,MBAM,SpyBot,etc.) or what? Do those external "My Books" have a small firmware OS to house rootkits, etc? or if infected, would they just be on the file surface only?

5. I DO have my original Windows XP discs, however I recently had my motherboard repaired which now has a different MS Key on the bottom from the product key I bought with the computer. I HOPE we don't need to re-install Windows??


Here is the ComboFix log:

ComboFix 11-12-22.04 - DRUMZ 12/22/2011 11:43:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1079 [GMT -7:00]
Running from: c:\documents and settings\DRUMZ\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\DRUMZ\Application Data\vso_ts_preview.xml
C:\install.exe
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
.
.
((((((((((((((((((((((((( Files Created from 2011-11-22 to 2011-12-22 )))))))))))))))))))))))))))))))
.
.
2011-12-12 05:16 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-12-12 05:16 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-12-12 05:16 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-12-12 05:16 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-12-12 05:16 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-12 05:16 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-12-12 05:16 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-12-12 05:16 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-12-12 05:16 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2011-12-12 05:16 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-12-12 05:15 . 2011-12-12 05:15 -------- d-----w- c:\program files\AVAST Software
2011-12-12 05:15 . 2011-12-12 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-12-12 00:47 . 2011-12-12 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-12 00:46 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-12 00:46 . 2011-12-12 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-11 22:51 . 2011-12-11 22:51 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-11 22:50 . 2011-12-11 22:50 -------- d-----w- c:\program files\Common Files\PC Tools
2011-12-11 22:50 . 2011-12-11 22:50 -------- d-----w- c:\documents and settings\DRUMZ\Application Data\TestApp
2011-12-09 00:15 . 2011-11-23 02:42 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-12-08 20:58 . 2011-12-08 21:02 -------- d-----w- c:\documents and settings\DRUMZ\Application Data\MailWasherFree
2011-12-08 20:58 . 2011-12-08 20:58 -------- d-----w- c:\program files\FireTrust
2011-12-08 19:55 . 2011-12-08 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-12-08 19:54 . 2011-12-08 19:54 -------- d-----w- c:\program files\Security Task Manager
2011-12-08 04:20 . 2011-12-12 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-12-08 04:20 . 2011-12-08 07:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-08 03:34 . 2011-12-08 03:34 -------- d-----w- c:\documents and settings\DRUMZ\Application Data\Javacool Software
2011-12-08 03:27 . 2011-12-08 03:27 -------- d-----w- c:\program files\EULAlyzer
2011-12-06 03:23 . 2011-12-06 03:23 -------- d-----w- c:\program files\7-Zip
2011-12-05 21:50 . 2011-12-05 21:50 167968 ----a-w- c:\windows\system32\drivers\afcdp.sys
2011-12-05 21:50 . 2011-12-05 21:50 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-12-05 21:49 . 2011-12-05 21:49 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-12-05 21:49 . 2011-12-05 21:49 170528 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-12-05 21:40 . 2011-12-05 21:40 -------- d-----w- c:\program files\Acronis
2011-12-05 21:40 . 2011-12-05 21:50 -------- d-----w- c:\program files\Common Files\Acronis
2011-12-05 20:01 . 2011-12-05 20:01 -------- d-----w- c:\documents and settings\DRUMZ\Application Data\WinPatrol
2011-12-05 20:00 . 2011-12-05 20:00 -------- d-----w- c:\program files\BillP Studios
2011-12-05 20:00 . 2011-12-05 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-12-04 01:19 . 2011-12-04 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2011-12-03 21:59 . 2011-12-03 21:59 -------- d-----w- c:\program files\Common Files\Java
2011-12-03 05:26 . 2011-12-21 05:57 -------- d-----w- c:\documents and settings\DRUMZ\Application Data\Vso
2011-12-03 05:08 . 2011-12-03 05:08 -------- d-----w- c:\program files\VSO
2011-11-30 16:50 . 2011-12-18 01:32 -------- d-----w- c:\program files\Unlocker
2011-11-28 01:37 . 2011-11-28 01:37 -------- d-----w- c:\program files\iPod
2011-11-28 01:36 . 2011-11-28 01:39 -------- d-----w- c:\program files\iTunes
2011-11-28 01:30 . 2011-11-28 01:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-11-28 01:27 . 2011-11-28 01:27 -------- d-----w- c:\program files\Bonjour
2011-11-26 21:33 . 2011-11-26 21:36 -------- d-----w- c:\documents and settings\DRUMZ\Local Settings\Application Data\Lexar Media
2011-11-26 21:33 . 2007-03-07 16:51 139264 ----a-w- c:\windows\system32\LxrSII1.dll
2011-11-26 06:43 . 2011-11-26 06:43 21768 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS
2011-11-26 00:54 . 2003-06-25 23:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-13 00:09 . 2011-05-24 03:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 10:00 33280 ------w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-03-30 01:21 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2005-03-30 01:01 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 10:00 186880 ------w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-02-03 06:17 692736 ------w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06 . 2011-07-06 00:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2010-02-03 10:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-01 03:14 . 2011-10-01 03:14 53248 ----a-r- c:\documents and settings\DRUMZ\Application Data\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-23 18:16 . 2011-05-05 21:24 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-21 4616064]
"FreeBar"="c:\program files\FreeBar\FreeBar.exe" [2008-01-29 237568]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-03 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-07-23 08:17 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DRUMZ^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\DRUMZ\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DRUMZ^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\DRUMZ\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DRUMZ^Start Menu^Programs^Startup^SANYO Screen Capture 1.1.lnk]
path=c:\documents and settings\DRUMZ\Start Menu\Programs\Startup\SANYO Screen Capture 1.1.lnk
backup=c:\windows\pss\SANYO Screen Capture 1.1.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DRUMZ^Start Menu^Programs^Startup^setup_9.0.0.722_14.06.2011_04-51.lnk]
path=c:\documents and settings\DRUMZ\Start Menu\Programs\Startup\setup_9.0.0.722_14.06.2011_04-51.lnk
backup=c:\windows\pss\setup_9.0.0.722_14.06.2011_04-51.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DRUMZ^Start Menu^Programs^Startup^setup_9.0.0.722_27.01.2011_10-48.lnk]
path=c:\documents and settings\DRUMZ\Start Menu\Programs\Startup\setup_9.0.0.722_27.01.2011_10-48.lnk
backup=c:\windows\pss\setup_9.0.0.722_27.01.2011_10-48.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DRUMZ^Start Menu^Programs^Startup^V CAST Media Monitor.lnk]
path=c:\documents and settings\DRUMZ\Start Menu\Programs\Startup\V CAST Media Monitor.lnk
backup=c:\windows\pss\V CAST Media Monitor.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-23 01:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2011-02-02 02:53 390720 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-09-07 22:53 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-10-07 21:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-15 00:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-03-11 05:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ------w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2008-07-19 02:52 104936 ------w- c:\program files\CyberLink\Power2Go\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMonitor]
2009-07-21 18:50 84464 ----a-w- c:\program files\Roxio 2010\5.0\CPMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-12-01 23:00 1060864 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Disc Tool]
2009-06-23 08:18 494064 ----a-w- c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2010-11-05 05:09 980368 ----a-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-11-14 19:58 136176 ----atw- c:\documents and settings\DRUMZ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 04:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2009-08-31 06:33 996616 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 16:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-13 07:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2008-12-10 22:36 2667816 ------w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 18:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-24 15:33 240112 ----a-w- c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-07-04 09:49 398568 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAOB Monitor]
2010-11-16 10:52 2536448 ----a-w- c:\program files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-02-09 18:59 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2011-02-02 02:52 5546376 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-12-04 05:15 218408 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2009-01-06 02:27 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"Stuffit Archive Name Service"=2 (0x2)
"DataSvr2"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Clip Extractor\\ClipExtractor.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
.
R0 89215402;89215402 Boot Guard Driver;c:\windows\system32\drivers\89215402.sys [1/27/2011 3:33 AM 37392]
R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\system32\drivers\CLBStor.sys [12/7/2010 2:37 AM 10368]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2/16/2010 4:12 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2/16/2010 4:12 PM 15856]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [12/5/2011 2:50 PM 752128]
R1 89215401;89215401;c:\windows\system32\drivers\89215401.sys [1/27/2011 3:33 AM 128016]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/11/2011 10:16 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/11/2011 10:16 PM 314456]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [7/14/2010 11:36 AM 244608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2/16/2010 4:12 PM 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
R1 setup_9.0.0.722_27.01.2011_10-48drv;setup_9.0.0.722_27.01.2011_10-48drv;c:\windows\system32\drivers\8921540.sys [1/27/2011 3:33 AM 315408]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 10:48 AM 116608]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 7:05 PM 457200]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [12/5/2011 2:50 PM 3246040]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/11/2011 10:16 PM 20568]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDFR.sys [12/7/2010 2:37 AM 154368]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/11/2011 5:47 PM 366152]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [12/5/2011 2:50 PM 167968]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/11/2011 5:46 PM 22216]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [6/10/2010 5:44 PM 19056]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/25/2010 12:57 PM 136176]
S2 LxrSII1d;Secure II Driver;\??\c:\windows\system32\Drivers\LxrSII1d.sys --> c:\windows\system32\Drivers\LxrSII1d.sys [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/25/2010 12:57 PM 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\224.tmp --> c:\windows\system32\224.tmp [?]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [12/9/2010 4:04 PM 27064]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [7/19/2010 2:26 AM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 54457414
*NewlyCreated* - PBFILTER
*Deregistered* - 54457414
*Deregistered* - pxtdapob
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2011-12-22 c:\windows\Tasks\AutoUpdaterTask.job
- c:\program files\Auto Updater\AutoUpdater.exe [2011-07-27 23:28]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 19:57]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 19:57]
.
2011-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-854245398-1417001333-1003Core.job
- c:\documents and settings\DRUMZ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-14 19:58]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-854245398-1417001333-1003UA.job
- c:\documents and settings\DRUMZ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-14 19:58]
.
2011-12-22 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task a125232a-2dd6-46fa-a1aa-6d8d20998db1.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-08-03 23:00]
.
2011-12-22 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task d612bab1-0e49-46cd-ab73-a2b771e84fdb.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-08-03 23:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\DRUMZ\Application Data\Mozilla\Firefox\Profiles\6kl4ylu1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-22 12:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\224.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1124)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\DRUMZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\DRUMZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\DRUMZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\documents and settings\DRUMZ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
Completion time: 2011-12-22 12:29:50
ComboFix-quarantined-files.txt 2011-12-22 19:29
.
Pre-Run: 8,790,081,536 bytes free
Post-Run: 8,766,627,840 bytes free
.
- - End Of File - - F607125A646C2EBE61CF57090147E4B9


Thanks!
dstix11

[System] WINXP Pro SP3, Windows Firewall, Malwarebytes, Super Anti-Spyware, Avast!, WinPatrol, SpywareBlaster, NoScript, AdBlock Plus
regards, dstix11
 

2t17.jpg


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:45 PM

Posted 23 December 2011 - 12:15 AM

Hello,

Most everything seems to be normal. Can you please post the log next time malwarebytes finds something. How is the machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 dstix11

dstix11
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 23 December 2011 - 02:20 AM

Hello,
Wow, thought I had a Win32:MBRoot as reported in the GMER ark.txt logs twice? Did ComboFix fix it? Curious because after it ran, it didn't reboot.. My system did crash after Combofix ran however. Got a "Mini Dump" shutdown error. Tried to attach in text, and bitmap but wouldn't let me...Rebooted ok afterwards...

Thought you should know a couple more things.
When I ran GMER twice before, the "ark.txt" logs seemed to indicate several other suspects, i thought? I'm certainly no expert like you so I'm highlighting those areas in red hoping you can settle my mind. :mellow:. See attachments

Also, I'm attaching the Malwarebytes log from 12-13-11 with the PUM.BAD.PROXY for your review.

**Just realized MBAM hasn't been able to complete a scan since I manually ran it on 12-19-11. It continues to error out when running on the scheduler and doesn't record any log files. I will do another manual tonight and post any results tomorrow.


Please let me know if I can lay those worries to rest, for now, and what to do with MBAM issue?

Thanks
regards, dstix11
 

2t17.jpg


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:45 PM

Posted 23 December 2011 - 10:56 AM

Hello,

Please go ahead and run Malwarebytes scan again make sure to update it and post it's log. Let's also go ahead and run Gmer again and post its log.


Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 dstix11

dstix11
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 23 December 2011 - 10:42 PM

Hello,
I ran all 3 scans. The aswMBR and GMER detected the same malicious Win32:MBRoot code @ sector 195366468 & PE file @ sector 195366490. aswMBR did NOT give me the option to "fix MBR" in the program, fyi. Perhaps a more powerful program or code is in call here?

aswMBR also detected one of the free Kaspersky antivirus removal tools I have as infected with a virus, but I didn't click the "fix" button as I wanted to save the log, per your request. Interesting that it found that file as well File: C:\Documents and Settings\DRUMZ\My Documents\Viruses\FREE Antivirus Scanning Software\Kaspersky Virus Removal Tools\AntiNimd.exe **INFECTED** Win32:Nimda-O [Drp]. Perhaps its a false positive??

I also noticed that this new GMER log today seemed to get rid of the temp file in question from the last 2 scans though (INT 0x01 \??\C:\DOCUME~1\DRUMZ\LOCALS~1\Temp\mbr.sys [A7689C42]). :thumbup2:

GMER is also still showing a question mark line SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8878640]. Is this an issue with SASW or normal??

**I continue to see the Windows Update icon flash in the system tray, but still can't keep it there long enough to download the much needed updates. Perhaps that MBRoot is blocking it, idk. But something is still not right here....

__________________________________________________________________________________________________________________________________________________________________________


aswMBR version 0.9.9.1116 Copyrightę 2011 AVAST Software
Run date: 2011-12-23 12:33:26
-----------------------------
12:33:26.406 OS Version: Windows 5.1.2600 Service Pack 3
12:33:26.406 Number of processors: 2 586 0xF06
12:33:26.406 ComputerName: DAN UserName:
12:33:27.328 Initialize success
12:33:28.078 AVAST engine defs: 11122300
12:34:39.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:34:39.625 Disk 0 Vendor: Hitachi_HTS721010G9SA00 MCZOC10H Size: 95396MB BusType: 3
12:34:41.656 Disk 0 MBR read successfully
12:34:41.656 Disk 0 MBR scan
12:34:41.656 Disk 0 Windows XP default MBR code
12:34:41.656 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 95393 MB offset 63
12:34:41.671 Disk 0 scanning sectors +195366465
12:34:41.687 Disk 0 malicious Win32:MBRoot code @ sector 195366468 !
12:34:41.687 Disk 0 PE file @ sector 195366490 !
12:34:41.718 Disk 0 scanning C:\WINDOWS\system32\drivers
12:34:55.312 Service scanning
12:34:56.375 Modules scanning
12:35:03.093 Disk 0 trace - called modules:
12:35:03.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:35:03.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a638030]
12:35:03.125 3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> [0x8a6396c0]
12:35:03.125 5 SahdIa32.sys[ba119939] -> nt!IofCallDriver -> \Device\00000092[0x8a671570]
12:35:03.125 7 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a632940]
12:35:03.906 AVAST engine scan C:\WINDOWS
12:35:11.328 AVAST engine scan C:\WINDOWS\system32
12:36:52.437 AVAST engine scan C:\WINDOWS\system32\drivers
12:37:07.578 AVAST engine scan C:\Documents and Settings\DRUMZ
13:09:33.156 File: C:\Documents and Settings\DRUMZ\My Documents\Viruses\FREE Antivirus Scanning Software\Kaspersky Virus Removal Tools\AntiNimd.exe **INFECTED** Win32:Nimda-O [Drp]
13:09:57.937 AVAST engine scan C:\Documents and Settings\All Users
13:12:46.828 Scan finished successfully
13:14:22.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\DRUMZ\Desktop\MBR.dat"
13:14:22.078 The log file has been saved successfully to "C:\Documents and Settings\DRUMZ\Desktop\aswMBR.txt"

__________________________________________________________________________________________________________________________________________________________________________

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122308

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/23/2011 3:04:40 PM
mbam-log-2011-12-23 (15-04-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 407453
Time elapsed: 1 hour(s), 44 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

__________________________________________________________________________________________________________________________________________________________________________


GMER ark12-23-11.txt is attached

__________________________________________________________________________________

Please let me know the next steps to tackle this MBRoot & PE infection.

**I'm also approaching max limit on file attachments. Can you increase??


Thanks bud
regards, dstix11
 

2t17.jpg


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:45 PM

Posted 24 December 2011 - 01:55 AM

I think we may be dealing with the newest variant of a very nasty rootkit.

We need to do a couple of things to rule it out. Can you burn Cd's and have access to a USB Flash drive?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 dstix11

dstix11
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 24 December 2011 - 12:16 PM

Yes, able to burn CD's and DVD's and have some Flash drives.

Please advise....Thanks
regards, dstix11
 

2t17.jpg


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:45 PM

Posted 24 December 2011 - 12:37 PM

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • It will install a little bootable OS on your USB
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Press Tool at the top
  • Choose Open Terminal
  • Type in: dd if=/dev/sda of=MBRbackup.zip bs=512 count=1 and hit Enter.


MBRbackup.zip should be created on your flash drive, please attach it to your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 dstix11

dstix11
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 24 December 2011 - 01:46 PM

Hello,
Not sure if I did this right.

I followed the instructions (or so I thought). Formatted the USB drive from the clean PC, it installed a small file, booted to USB from this sick PC, but it said the following:
SYSLINUX 3.72 2008-09-25 EBios
Could Not Find Kernel Inmage: linux
boot:

What did I do wrong? Were the 2 downloaded files supposed to be brought back on the USB after format for this to work?

Please advise, thanks
regards, dstix11
 

2t17.jpg


#13 dstix11

dstix11
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 24 December 2011 - 02:32 PM

Figured it out (i think). I didn't put in the path for the .iso file in the 387 program.

Here is the zip file (when I tried to extract it w/ WinRAR it said the archive is in unknown format or damaged).

Please let me know how to create it correctly if its damaged. Thanks
regards, dstix11
 

2t17.jpg


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:45 PM

Posted 24 December 2011 - 03:42 PM

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

Posted Image

Posted Image


When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter
Posted Image

Next type FIXMBR

Posted Image

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

With that done, please post back and let me know how things are now.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 dstix11

dstix11
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 PM

Posted 24 December 2011 - 04:18 PM

Followed those instructions and new MBR successfully written. Booted up fine, but Windows Update icon still flashes in systray then disappears.

What am I supposed to be noticing? Still runs like it did before, working but would need to do those scans again to determine if the Malware is gone, right?
regards, dstix11
 

2t17.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users