Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Check Virus, now also with XP Home Security 2012


  • This topic is locked This topic is locked
54 replies to this topic

#1 CalmWaters

CalmWaters

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 17 January 2012 - 01:31 PM

Hello all,
I initially encountered the XP Internet Security 2012 and followed the procedure here to successfully eliminate the problem.
Recently, the "System Check" Virus infected the system and I found this post and ran the combofix tool latest versions (12-01-13.3, 12-01-13.05 and now 12-01-17.01) to clear out the issue which appeared to work each time but shortly following, the System Check would eventually reinfect.
Today, after the latest run of the combofix tool and the system appearing clean, I used MS IE (while Avast was still temporarily disabled) on the pc to download the DDS.scr tool directly from that url to gather supplemental logs to post here. After the DDS tool successfully finished running, XP Home Security 2012 windows began appearing.

Here are the log files from the latest combofix, DDS and I will add Gmer when I can get it to run. Right now, no executables can run no matter if they are named with .scr or .bat extensions. Avast produces an "attempt to run file C:\Documents and Settings\Issabella\Local Set...\qkm.exe" alert and allowing it to run does not succeed.

Update:
I rebooted to safe mode into the user account and successfully applied the FixNCR.reg and iexplorer.exe variant of "rkill" to halt the execution of the XP Home Security 2012 for this boot session. I have included the rkill.log and Gmer output at the end of this post.

Here are the log files:

ComboFix 12-01-17.01 - Isabella 01/17/2012 11:36:08.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.160 [GMT -5:00]
Running from: c:\documents and settings\Isabella\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~jYZW6zA9nRbJvw
c:\documents and settings\All Users\Application Data\~jYZW6zA9nRbJvwr
c:\documents and settings\All Users\Application Data\hDNYrohYYsM.exe
c:\documents and settings\All Users\Application Data\jYZW6zA9nRbJvw
c:\documents and settings\All Users\Application Data\jYZW6zA9nRbJvw.exe
c:\documents and settings\Isabella\Desktop\System Check.lnk
c:\documents and settings\Isabella\Start Menu\Programs\System Check
c:\documents and settings\Isabella\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Isabella\Start Menu\Programs\System Check\Uninstall System Check.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-17 16:24 . 2012-01-17 16:24 27528 ----a-w- c:\windows\system32\drivers\PROCEXP151.SYS
2012-01-13 21:37 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-11 17:18 . 2012-01-11 17:19 -------- d--h--w- c:\documents and settings\Isabella\Local Settings\Application Data\ApplicationHistory
2012-01-06 16:48 . 2012-01-06 20:36 -------- d--h--w- c:\documents and settings\Isabella\Application Data\U3
2011-12-30 21:00 . 2011-12-30 21:00 626688 ---ha-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-30 21:00 . 2011-12-30 21:00 548864 ---ha-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-30 21:00 . 2011-12-30 21:00 479232 ---ha-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-30 21:00 . 2011-12-30 21:00 43992 ---ha-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-19 21:35 . 2011-12-19 21:35 159744 ---ha-w- c:\program files\Mozilla Firefox\Plugins\npqtplugin7.dll
2011-12-19 21:35 . 2011-12-19 21:35 159744 ---ha-w- c:\program files\Mozilla Firefox\Plugins\npqtplugin6.dll
2011-12-19 21:35 . 2011-12-19 21:35 159744 ---ha-w- c:\program files\Mozilla Firefox\Plugins\npqtplugin5.dll
2011-12-19 21:35 . 2011-12-19 21:35 159744 ---ha-w- c:\program files\Mozilla Firefox\Plugins\npqtplugin4.dll
2011-12-19 21:35 . 2011-12-19 21:35 159744 ---ha-w- c:\program files\Mozilla Firefox\Plugins\npqtplugin3.dll
2011-12-19 21:35 . 2011-12-19 21:35 159744 ---ha-w- c:\program files\Mozilla Firefox\Plugins\npqtplugin2.dll
2011-12-19 21:35 . 2011-12-19 21:35 159744 ---ha-w- c:\program files\Mozilla Firefox\Plugins\npqtplugin.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 18:01 . 2010-12-15 20:30 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2010-12-15 20:30 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2010-12-15 20:31 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2010-12-15 20:31 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2010-12-15 20:31 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2010-12-15 20:31 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:51 . 2010-12-15 20:31 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2010-12-15 20:31 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2010-12-15 20:31 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-25 21:57 . 2010-12-15 21:03 293376 ---ha-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2010-12-15 21:03 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2010-12-15 21:02 60416 ---ha-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2010-12-15 21:03 354816 ---ha-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2010-12-15 21:02 152064 ---ha-w- c:\windows\system32\schannel.dll
2011-11-14 22:26 . 2011-05-16 13:35 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2010-12-15 21:03 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-12-15 21:01 43520 ---h--w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-12-15 21:00 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-12-15 21:00 385024 ---h--w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2010-12-15 21:02 1292288 ---ha-w- c:\windows\system32\quartz.dll
2011-11-03 15:28 . 2010-12-15 21:02 386048 ---ha-w- c:\windows\system32\qdvd.dll
2011-11-01 16:07 . 2010-12-15 21:02 1288704 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-12-15 21:00 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2010-12-15 21:02 2192768 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2010-12-15 21:05 2069376 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-12-30 21:00 . 2011-04-14 22:31 121816 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-12_22.19.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-17 15:09 . 2012-01-17 15:09 16384 c:\windows\Temp\Perflib_Perfdata_1ec.dat
+ 2008-12-16 12:30 . 2011-11-16 14:21 354816 c:\windows\system32\dllcache\winhttp.dll
- 2008-12-16 12:30 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2009-06-25 08:25 . 2011-11-16 14:21 152064 c:\windows\system32\dllcache\schannel.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-12-14 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-12-14 20:51 1514152 ---ha-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-12-14 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-12-14 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-02-22 1497352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
c:\documents and settings\Isabella\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ---ha-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ---ha-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 15:43 69632 ---ha-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ---ha-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ---ha-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-04-13 16:09 49152 ---ha-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 21:24 13923432 ---ha-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 21:24 110696 ---ha-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-07-08 04:52 1753192 ---ha-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ---ha-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-12-08 03:57 30208 ---h--w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-06-01 13:48 16208384 ---ha-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 15:04 2879488 ---ha-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2004-12-29 12:01 544768 ---ha-w- c:\windows\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/13/2012 4:37 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/15/2010 3:31 PM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/15/2010 3:31 PM 20568]
R3 PROCEXP151;PROCEXP151;c:\windows\system32\drivers\PROCEXP151.SYS [1/17/2012 11:24 AM 27528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 10:35 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 10:35 PM 136176]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [12/15/2010 4:53 PM 606056]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 03:35]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 03:35]
.
2012-01-13 c:\windows\Tasks\Norton Security Scan for Isabella.job
- c:\progra~1\NORTON~2\Engine\300~1.103\Nss.exe [2011-01-03 04:47]
.
2012-01-13 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-12-14 20:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\documents and settings\Isabella\Application Data\Mozilla\Firefox\Profiles\uise2fhg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
.
Supplementary scan did not complete!
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-hDNYrohYYsM.exe - c:\documents and settings\All Users\Application Data\hDNYrohYYsM.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-17 12:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
c:\windows\system32\searchfilterhost.exe [240] 0xF7D3F020
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-01-17 12:26:33
ComboFix-quarantined-files.txt 2012-01-17 17:26
ComboFix2.txt 2012-01-13 21:05
.
.
Post-Run: 106,722,598,912 bytes free
.
- - End Of File - - F786684CACE911757FF4F3980998E358


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Isabella at 12:38:03 on 2012-01-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.200 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\isabella\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292448106125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{F2CADB34-31A4-40DC-B518-4BD05465788D} : DhcpNameServer = 192.168.15.1
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\isabella\application data\mozilla\firefox\profiles\uise2fhg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\isabella\application data\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.dll
FF - component: c:\documents and settings\isabella\application data\mozilla\firefox\profiles\uise2fhg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\isabella\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-13 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-15 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-15 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-15 44768]
R3 PROCEXP151;PROCEXP151;c:\windows\system32\drivers\PROCEXP151.SYS [2012-1-17 27528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-23 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-23 136176]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-12-15 606056]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-17 16:29:08 -------- d-----w- C:\ComboFix
2012-01-17 16:24:06 27528 ----a-w- c:\windows\system32\drivers\PROCEXP151.SYS
2012-01-13 21:37:28 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-12 23:16:17 256000 ----a-w- c:\windows\PEV.exe
2012-01-12 21:40:58 -------- d-sha-r- C:\cmdcons
2012-01-12 21:34:20 98816 ----a-w- c:\windows\sed.exe
2012-01-12 21:34:20 518144 ----a-w- c:\windows\SWREG.exe
2012-01-12 21:34:20 208896 ----a-w- c:\windows\MBR.exe
2012-01-11 17:18:39 -------- d-----w- c:\documents and settings\isabella\local settings\application data\ApplicationHistory
2011-12-30 21:00:47 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2011-12-30 21:00:47 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2011-12-30 21:00:47 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-30 21:00:47 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-19 21:35:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2011-12-19 21:35:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2011-12-19 21:35:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2011-12-19 21:35:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2011-12-19 21:35:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2011-12-19 21:35:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2011-12-19 21:35:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-14 22:26:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 12:44:16.13 ===============

The "attach.txt" file is attached per instructions. Attached File  attach.txt   10.22KB   0 downloads

rkill.log contents: --------------------------------------------------------

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/17/2012 at 17:34:12.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Isabella\Local Settings\Application Data\qkm.exe


Rkill completed on 01/17/2012 at 17:35:26.
----------------------------------------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-17 18:52:15
Windows 5.1.2600 Service Pack 3
Running: dbdes3ll.exe; Driver: C:\DOCUME~1\Isabella\LOCALS~1\Temp\pxtdrpob.sys


---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB64258$\1921288582 0 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\bckfg.tmp 850 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\L 0 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\L\iopiovam 162816 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\U 0 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB64258$\1921288582\U\80000032.@ 77312 bytes
File C:\WINDOWS\$NtUninstallKB64258$\2301715402 0 bytes

---- EOF - GMER 1.0.15 ----


I appreciate all your help with this situation.
Thank you very much!

Edited by CalmWaters, 17 January 2012 - 06:57 PM.


BC AdBot (Login to Remove)

 


#2 CalmWaters

CalmWaters
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 17 January 2012 - 06:59 PM

Update: I was able to run rkill to end the XP Home Security 2012 while in safe mode and then run the Gmer and generate logs. The new logs are posted in the original message.
Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:57 PM

Posted 23 January 2012 - 11:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please run ComboFix again and post the fresh log.
Please let me know what issues remains on this computer.

#4 CalmWaters

CalmWaters
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 23 January 2012 - 12:15 PM

Thank you nasdaq for your help with my situation.

Since the browsers are not operable on the computer with the problem, I'm using another workstation to download and transfer files.
I downloaded and attempted to run the TDSSKiller, after double clicking the icon, I don't ever see any windows for that program and so I can't proceed to scan.
Same experience with aswMBR.exe.
Should I just go ahead and run ComboFix and provide the results from that scan?

FYI, I currently have all of windows "scheduled tasks" disabled and the "Run" entries from each of the HKCU and HKLM disabled.

Earlier this morning, I ran the Malware Bytes Anti Malware and it found and fixed some issues.
Here is the log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.23.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Isabella :: ACER [administrator]

1/23/2012 10:58:33 AM
mbam-log-2012-01-23 (10-58-33).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243313
Time elapsed: 51 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\Documents and Settings\Isabella\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Isabella\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome (PUP.MightyMagoo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Isabella\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components (PUP.MightyMagoo) -> Quarantined and deleted successfully.

Files Detected: 7
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP286\A0102893.sys (Malware.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\fka0.1995445843854825.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mos0.464906510608602.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Isabella\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome.manifest (PUP.MightyMagoo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Isabella\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\install.rdf (PUP.MightyMagoo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Isabella\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome\mmtextlinks.jar (PUP.MightyMagoo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Isabella\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.xpt (PUP.MightyMagoo) -> Quarantined and deleted successfully.

(end)

Edited by CalmWaters, 23 January 2012 - 12:29 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:57 PM

Posted 23 January 2012 - 04:15 PM

Can you connect to the internet or is it just that the browsers are not operational?

If you cannot connect to the internet please run this tool and submit the log.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#6 CalmWaters

CalmWaters
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 23 January 2012 - 04:28 PM

Since my latest posting of the Malware Bytes log, I re-attempted to launch Internet Explorer and it is working now. Prior to that, I did at least have internet connectivity (the system tray network icon indicated successful internet connection and both Malware Bytes and Avast5 were able to retrieve definition file updates.)

Do you want me to proceed running the ComboFix at this point, even though the TDSSkiller and aswMBR won't run?

Thank you again for helping.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:57 PM

Posted 24 January 2012 - 08:01 AM

Yes please run ComboFix and submit the log.

I see some bad files in your aswMBR log.

#8 CalmWaters

CalmWaters
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 24 January 2012 - 12:01 PM

I am in the process of running the ComboFix (12-01-23.02) tool.
So far it has reported twice during the scan:
ComboFix - ZeroAccess
"You are infected with the Rootkit.ZeroAccess! It has inserted itself into the TCP/IP stack. This is a particularly difficult infection.

If for any reason that you are unable to connect to the internet after running ComboFix, reboot once and see if that fixes it.

If it's not fixed, run ComboFix one more time." (OK)

One other message appeared during the scan so far:
ROOTKIT:
"Rootkit is Detected. Be patient as this may take some moments"

ComboFix is rebooting the computer, it presented the message:
"RootKit!!
ComboFix has detected the presence of rootkit activity and needs to reboot the machine" (OK)

(rebooted machine)
ComboFix auto-started another scan. It is the only window on the screen (no desktop or taskbar) since login after the reboot. Stage_4 has completed so far.
-------------
-------------

As I mentioned earlier, I have disabled all of the "Scheduled Tasks" (listed in the previous ComboFix report above) and disabled the HKLM and HKCU "Run" key contents. This has helped to suppress some of the virus activity so I can run these scanning tools.

Another issue I'd like to mention while this scan is running:
I attempted to uninstall the "Ask.com Toolbar" from Add/Remove Programs but did not succeed:

----------------------------------------------------------------------
Windows Installer
"The feature you are trying to use is on a network resource that is unavailable. (OK) (Cancel)
Click OK to try again, or enter an alternative path to a folder containing the installation package 'Ask Toolbar.msi' in the box below.
Use source: ______ (Browse...)"

(I hit cancel because there is no AskToolbar.msi anywhere on my system.)

"Removing program..."

"The installation source for this product is not available. Verify that the source exists and that you can access it. (OK)"
-----------------------------------------------------------------------

I will provide the result logs from ComboFix as soon as it completes the scan.

Edited by CalmWaters, 24 January 2012 - 12:44 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:57 PM

Posted 24 January 2012 - 01:54 PM

I have had success with this removal tool. If ComboFix does not submit a report try it.

  • Please download AntiZeroAccess by Webroot to your Desktop
  • Double-click antizeroaccess.exe to run the program.
    • NOTE: If running Vista or Windows 7, make sure to Right-click on it and select Run as an Administrator.

    Posted Image
  • At the black window, type y and then press Enter.
  • Once AntiZeroAccess has finished scanning, a report AntiZeroAccess_Log.txt will be created in the same location as the program.
  • Please post the contents of the report in your next reply, and let me know how your system is running now. :thumbup:


#10 CalmWaters

CalmWaters
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 24 January 2012 - 02:17 PM

ComboFix completed it's run after 2 reboots:


ComboFix 12-01-23.02 - Isabella 01/24/2012 12:21:54.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.239 [GMT -5:00]
Running from: c:\documents and settings\Isabella\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB64258$
c:\windows\$NtUninstallKB64258$\1921288582\@
c:\windows\$NtUninstallKB64258$\1921288582\bckfg.tmp
c:\windows\$NtUninstallKB64258$\1921288582\cfg.ini
c:\windows\$NtUninstallKB64258$\1921288582\Desktop.ini
c:\windows\$NtUninstallKB64258$\1921288582\keywords
c:\windows\$NtUninstallKB64258$\1921288582\kwrd.dll
c:\windows\$NtUninstallKB64258$\1921288582\L\iopiovam
c:\windows\$NtUninstallKB64258$\1921288582\lsflt7.ver
c:\windows\$NtUninstallKB64258$\1921288582\U\00000001.@
c:\windows\$NtUninstallKB64258$\1921288582\U\00000002.@
c:\windows\$NtUninstallKB64258$\1921288582\U\00000004.@
c:\windows\$NtUninstallKB64258$\1921288582\U\80000000.@
c:\windows\$NtUninstallKB64258$\1921288582\U\80000004.@
c:\windows\$NtUninstallKB64258$\1921288582\U\80000032.@
c:\windows\$NtUninstallKB64258$\2301715402
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-23 17:43 . 2012-01-23 17:43 -------- d--h--w- c:\windows\PIF
2012-01-23 15:56 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 21:03 . 2012-01-20 21:03 -------- d-----w- c:\program files\Common Files\Java
2012-01-20 21:02 . 2012-01-20 21:02 476904 ----a-w- c:\program files\Mozilla Firefox\Plugins\npdeployJava1.dll
2012-01-20 21:02 . 2012-01-20 21:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-19 21:14 . 2012-01-19 21:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-17 16:24 . 2012-01-17 16:24 27528 ----a-w- c:\windows\system32\drivers\PROCEXP151.SYS
2012-01-13 21:37 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-11 17:18 . 2012-01-11 17:19 -------- d-----w- c:\documents and settings\Isabella\Local Settings\Application Data\ApplicationHistory
2012-01-06 16:48 . 2012-01-06 20:36 -------- d-----w- c:\documents and settings\Isabella\Application Data\U3
2011-12-30 21:00 . 2011-12-30 21:00 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-30 21:00 . 2011-12-30 21:00 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-30 21:00 . 2011-12-30 21:00 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-30 21:00 . 2011-12-30 21:00 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-24 16:21 . 2011-05-16 13:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-20 21:02 . 2010-12-15 20:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-28 18:01 . 2010-12-15 20:30 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2010-12-15 20:30 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2010-12-15 20:31 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2010-12-15 20:31 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2010-12-15 20:31 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2010-12-15 20:31 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:51 . 2010-12-15 20:31 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2010-12-15 20:31 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2010-12-15 20:31 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-25 21:57 . 2010-12-15 21:03 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2010-12-15 21:03 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2010-12-15 21:02 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2010-12-15 21:03 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2010-12-15 21:02 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2010-12-15 21:03 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-12-15 21:01 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-12-15 21:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-12-15 21:00 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2010-12-15 21:02 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-03 15:28 . 2010-12-15 21:02 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-01 16:07 . 2010-12-15 21:02 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-12-15 21:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-30 21:00 . 2011-04-14 22:31 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-12_22.19.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-24 18:41 . 2012-01-24 18:41 16384 c:\windows\Temp\Perflib_Perfdata_700.dat
+ 2012-01-24 16:21 . 2012-01-24 16:21 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
+ 2012-01-24 16:21 . 2012-01-24 16:21 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll
+ 2012-01-20 21:02 . 2012-01-20 21:02 157472 c:\windows\system32\javaws.exe
+ 2012-01-20 21:02 . 2012-01-20 21:02 149280 c:\windows\system32\javaw.exe
+ 2012-01-20 21:02 . 2012-01-20 21:02 149280 c:\windows\system32\java.exe
+ 2008-12-16 12:30 . 2011-11-16 14:21 354816 c:\windows\system32\dllcache\winhttp.dll
- 2008-12-16 12:30 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2009-06-25 08:25 . 2011-11-16 14:21 152064 c:\windows\system32\dllcache\schannel.dll
+ 2010-12-15 21:02 . 2008-04-14 05:51 162816 c:\windows\system32\dllcache\netbt.sys
+ 2012-01-20 21:03 . 2012-01-20 21:03 203776 c:\windows\Installer\bc7d64.msi
+ 2012-01-20 21:02 . 2012-01-20 21:02 902656 c:\windows\Installer\bc7d5f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-12-14 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-12-14 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-12-14 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\Isabella\Start Menu\Programs\Startup\AutorunsDisabled
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:7466b732b
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 15:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-04-13 16:09 49152 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 21:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 21:24 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-07-08 04:52 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-12-08 03:57 30208 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-06-01 13:48 16208384 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 15:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2004-12-29 12:01 544768 ----a-w- c:\windows\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/13/2012 4:37 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/15/2010 3:31 PM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/15/2010 3:31 PM 20568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 10:35 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 10:35 PM 136176]
S3 PROCEXP151;PROCEXP151;c:\windows\system32\drivers\PROCEXP151.SYS [1/17/2012 11:24 AM 27528]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [12/15/2010 4:53 PM 606056]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2012-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 03:35]
.
2012-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 03:35]
.
2012-01-13 c:\windows\Tasks\Norton Security Scan for Isabella.job
- c:\progra~1\NORTON~2\Engine\300~1.103\Nss.exe [2011-01-03 04:47]
.
2012-01-13 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-12-14 20:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\documents and settings\Isabella\Application Data\Mozilla\Firefox\Profiles\uise2fhg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 13:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\Macromed\Flash\Flash11e.ocx
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\SearchIndexer.exe
.
**************************************************************************
.
Completion time: 2012-01-24 14:06:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-24 19:05
ComboFix2.txt 2012-01-17 17:26
ComboFix3.txt 2012-01-13 21:05
.
Pre-Run: 106,818,007,040 bytes free
Post-Run: 107,589,177,344 bytes free
.
- - End Of File - - D3AE871F8AF7BC4F569A742CEA301925

What is the next step?

Edited by CalmWaters, 24 January 2012 - 02:18 PM.


#11 CalmWaters

CalmWaters
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 24 January 2012 - 05:20 PM

I re-ran the Gmer tool to see what might still be remaining following the combofix tool:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-24 17:05:24
Windows 5.1.2600 Service Pack 3
Running: dbdes3ll.exe; Driver: C:\DOCUME~1\Isabella\LOCALS~1\Temp\pxtdrpob.sys


---- Files - GMER 1.0.15 ----

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
File C:\## aswSnx private storage\webStorage 0 bytes
File C:\## aswSnx private storage\webStorage\attrib 0 bytes
File C:\## aswSnx private storage\webStorage\image 0 bytes
File C:\## aswSnx private storage\webStorage\image\32788R22FWJFW 0 bytes
File C:\## aswSnx private storage\webStorage\image\32788R22FWJFW\License 0 bytes
File C:\## aswSnx private storage\webStorage\snx_fs.dat 360 bytes

---- EOF - GMER 1.0.15 ----


What do I need to do to clean these "new files"?

and here is the output from the Farbar Service Scanner:

Farbar Service Scanner Version: 18-01-2012 01
Ran by Isabella (administrator) on 24-01-2012 at 17:12:20
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(6) IPSec(4) NetBT(6) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Thank you again for your help!

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:57 PM

Posted 25 January 2012 - 09:40 AM

Your logs are clean.
===

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
File C:\## aswSnx private storage\webStorage 0 bytes
File C:\## aswSnx private storage\webStorage\attrib 0 bytes
File C:\## aswSnx private storage\webStorage\image 0 bytes
File C:\## aswSnx private storage\webStorage\image\32788R22FWJFW 0 bytes
File C:\## aswSnx private storage\webStorage\image\32788R22FWJFW\License 0 bytes
File C:\## aswSnx private storage\webStorage\snx_fs.dat 360 bytes

What do I need to do to clean these "new files"?


These were probably created by aswMBR.exe from Avast. I would not worry about them unless they are creating problems.

p.s.
Delete the files in AVAST quarantine folder. They may be removed. Not sure.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know also of any remaining issues with this computer.

#13 CalmWaters

CalmWaters
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 25 January 2012 - 11:14 AM

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
AVG PC Tuneup 2011
```````````````````````````````
Anti-malware/Other Utilities Check:

AVG PC Tuneup 2011
Java™ 6 Update 30
Adobe Flash Player 11.1.102.55
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (9.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
``````````End of Log````````````

#14 CalmWaters

CalmWaters
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 25 January 2012 - 11:28 AM

These were probably created by aswMBR.exe from Avast. I would not worry about them unless they are creating problems.

p.s.
Delete the files in AVAST quarantine folder. They may be removed. Not sure.


I deleted all the entries from Avast's Virus Chest and then re-ran GMer:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-25 11:21:03
Windows 5.1.2600 Service Pack 3
Running: dbdes3ll.exe; Driver: C:\DOCUME~1\Isabella\LOCALS~1\Temp\pxtdrpob.sys


---- Files - GMER 1.0.15 ----

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
File C:\## aswSnx private storage\webStorage 0 bytes
File C:\## aswSnx private storage\webStorage\attrib 0 bytes
File C:\## aswSnx private storage\webStorage\image 0 bytes
File C:\## aswSnx private storage\webStorage\image\32788R22FWJFW 0 bytes
File C:\## aswSnx private storage\webStorage\image\32788R22FWJFW\License 0 bytes
File C:\## aswSnx private storage\webStorage\snx_fs.dat 360 bytes

---- EOF - GMER 1.0.15 ----


FYI, I was not ever able to run the aswMBR tool that I downloaded to the desktop.
I double clicked on the icon but I never saw any windows or indication that it did anything.
In the same way, TDSSkiller tool never produced any windows when I tried to run it.

At this point, is it important to get these programs to run and get information from them?

Thank you again for all of your help!

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:57 PM

Posted 25 January 2012 - 02:12 PM

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
File C:\## aswSnx private storage\webStorage 0 bytes
File C:\## aswSnx private storage\webStorage\attrib 0 bytes
File C:\## aswSnx private storage\webStorage\image 0 bytes
File C:\## aswSnx private storage\webStorage\image\32788R22FWJFW 0 bytes
File C:\## aswSnx private storage\webStorage\image\32788R22FWJFW\License 0 bytes
File C:\## aswSnx private storage\webStorage\snx_fs.dat 360 bytes


If you can find the files you can delete them.
===

At this point, is it important to get these programs to run and get information from them?

No unless you are still having some issues with your computer.

===

If all is well:Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users