Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Bamital!dat


  • This topic is locked This topic is locked
16 replies to this topic

#1 fredgd

fredgd

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 21 January 2012 - 09:12 AM

Hello,
Shortly after startup, Microsoft Security Essentials (MSE) finds Bamital!dat. It goes through a quarantine and "removal" process. Upon cleaning this code, it requests "to finish cleaning, a restart is required", at which point I allow the restart. Shortly after startup, MSE finds Bamital!dat. Lather, rinse, repeat. MSE is successfully detecting the item, but fails to remove it.

MSE details:
Security Essentials encountered the following error: Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\Windows\system32\hlp.dat


I've also tried:
Malwarebytes, which doesn't find it.
Kaspersky rootkit tool came up clean.
Windows defender edition where you create a bootable DVD and it runs a barebones version of defender. Same story as MSE: find it but can't remove it due to group policy.

Which brings me up to date; I much appreciate any help that the community can suggest!

Thank you,
Fred



DDS Log here:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_30
Run by Kelsey at 21:59:31 on 2012-01-20
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2430.1056 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\ISD\ISD_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ASUS\EeeNoteSync\EeeNoteSync.exe
C:\Program Files\Tablet\CalibrationAssistant.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\notepad.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.9\pdfforgeToolbarIE.dll
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn1\YTNavAssist.dll
mURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn1\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.9\pdfforgeToolbarIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.9\pdfforgeToolbarIE.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {13B9BCC3-03D7-4971-86F6-A38A9A43A141} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\kelsey\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [EeeNoteSync] "c:\program files\asus\eeenotesync\EeeNoteSync.exe" hide
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [<NO NAME>]
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\whites~1.lnk - c:\users\kelsey\downloads\WhiteSmokeWriterGeo5002_en.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Save YouTube Video
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6C114689-FC2C-45CF-ABBF-DAF849FC3001} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6C114689-FC2C-45CF-ABBF-DAF849FC3001}\0756162737F6E637 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6C114689-FC2C-45CF-ABBF-DAF849FC3001}\16474777966696 : DhcpNameServer = 192.168.5.1
TCP: Interfaces\{6C114689-FC2C-45CF-ABBF-DAF849FC3001}\C4E435 : DhcpNameServer = 10.77.0.96
TCP: Interfaces\{6C114689-FC2C-45CF-ABBF-DAF849FC3001}\D4944502355434552554 : DhcpNameServer = 18.71.0.151 18.70.0.160 18.72.0.3
TCP: Interfaces\{6C114689-FC2C-45CF-ABBF-DAF849FC3001}\D49445027455543545 : DhcpNameServer = 18.71.0.151 18.70.0.160 18.72.0.3
TCP: Interfaces\{925D4C3F-540E-41C2-ABE3-C3F997ABE717} : DhcpNameServer = 137.112.4.196 137.112.5.28 137.112.12.11
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kelsey\appdata\roaming\mozilla\firefox\profiles\aadlkce3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/#
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=302398&p=
FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\kelsey\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\kelsey\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\kelsey\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: tab-search: tab@search.com - %profile%\extensions\tab@search.com
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
.
---- FIREFOX POLICIES ----
.
FF - user.js: search.clsid - {74DF0824-4A7F-4110-9CA2-4476964B075A}
FF - user.js: search.sid - 15101055100
FF - user.js: extensions.newAddons - false
============= SERVICES / DRIVERS ===============
.
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2011-7-22 22312]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\users\kelsey\appdata\local\temp\sas_selfextract\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\users\kelsey\appdata\local\temp\sas_selfextract\saskutil.sys [2011-7-12 67664]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-12-14 748440]
R2 TabletServiceISD;TabletServiceISD;c:\program files\tablet\isd\ISD_Tablet.exe [2011-9-12 4727152]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-17 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-26 1343400]
S3 wmamp3DriverV32;wmamp3DriverV32;c:\windows\system32\drivers\wmamp3DriverV32.sys [2010-6-24 23096]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-6-24 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-6-24 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-6-24 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-6-24 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-6-24 25704]
.
=============== Created Last 30 ================
.
2012-01-21 04:27:01 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e5094e9a-bb44-46ee-916b-d45fcb473094}\mpengine.dll
2012-01-17 04:21:45 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-17 04:21:26 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 03:00:26 -------- d-----w- c:\users\kelsey\appdata\roaming\SUPERAntiSpyware.com
2012-01-16 03:00:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-14 14:48:28 -------- d-----w- c:\program files\iPod
2012-01-14 14:48:26 -------- d-----w- c:\program files\iTunes
2012-01-14 14:45:40 -------- d-----w- c:\program files\Bonjour
2012-01-13 14:22:23 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-13 14:22:23 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-13 14:22:23 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-13 14:22:23 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-13 14:22:23 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-13 14:22:23 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-13 14:22:22 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-13 14:22:22 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-13 14:22:22 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-13 14:22:22 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-12 15:33:00 -------- d-----w- c:\windows\system32\SPReview
2012-01-12 14:53:16 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-01-11 08:28:16 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{24008e2d-fd58-440d-8a5d-96b5362dbe6f}\gapaengine.dll
2012-01-11 08:20:08 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-11 02:04:01 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 02:03:58 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 02:03:55 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 02:03:54 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 02:01:49 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5bff57e6-9938-4877-ae47-e574f32eb4b2}\mpengine.dll
2012-01-09 10:24:11 -------- d-----w- c:\windows\system32\EventProviders
2012-01-09 10:23:59 -------- d-----w- C:\9778c5c1320aacb3c406c14a14df2e7c
2012-01-09 08:34:03 -------- d-----w- c:\program files\pdfforge Toolbar
2012-01-09 08:34:03 -------- d-----w- c:\program files\common files\Spigot
2012-01-09 08:34:03 -------- d-----w- c:\program files\Application Updater
2012-01-09 01:07:09 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-01-08 19:42:21 158056 ----a-w- c:\programdata\microsoft\windows\sqm\manifest\Sqm10139.bin
2012-01-03 16:22:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 16:22:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-01-12 15:49:37 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-01-11 08:25:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 13:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-05 04:35:00 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 02:48:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-26 04:47:40 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 04:47:40 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-26 04:28:12 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-24 22:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 22:00:42.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 21 January 2012 - 11:37 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes are complete.

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 fredgd

fredgd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 21 January 2012 - 12:46 PM

Hi,
Combo Fix seems to have stalled:

Windows dialog box error said: Pev.3XE has stopped working. "A problem caused the program to stop working correctly. Windows will close the program and notify you...."

ComboFix box said "this scan usually takes 10 minutes or less. badly infected systems can take longer...." After an hour, it hadn't made any visible progress. When I went to internet explorer to post this response, explorer is not connecting. I will need to reboot I think to get connectivity again. Meanwhile, I'm posting this from another computer and the infected one hasn't been rebooted yet.

Thanks,
Fred

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 21 January 2012 - 02:08 PM

Fred,

Go ahead and reboot it, then boot into the safe mode and try running ComboFix again.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 fredgd

fredgd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 21 January 2012 - 11:00 PM

OK success running combo fix. Same error came up, but combofix seemed to move all the way through. here's the log,
thanks

ComboFix 12-01-21.01 - Kelsey 01/21/2012 19:29:35.5.2 - x86 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2430.1585 [GMT -8:00]
Running from: c:\users\Kelsey\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Kelsey\AppData\Roaming\Mozilla\Firefox\Profiles\aadlkce3.default\searchplugins\bing-zugo.xml
c:\users\Kelsey\Documents\~WRL0003.tmp
c:\users\Kelsey\Documents\~WRL1898.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 03:42 . 2012-01-22 03:43 -------- d-----w- c:\users\Kelsey\AppData\Local\temp
2012-01-22 03:42 . 2012-01-22 03:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-01-22 03:42 . 2012-01-22 03:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-01-22 03:42 . 2012-01-22 03:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-22 03:27 . 2012-01-22 03:27 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E5094E9A-BB44-46EE-916B-D45FCB473094}\offreg.dll
2012-01-21 04:27 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E5094E9A-BB44-46EE-916B-D45FCB473094}\mpengine.dll
2012-01-17 04:21 . 2012-01-17 04:21 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-17 04:21 . 2012-01-17 04:21 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 03:00 . 2012-01-16 03:00 -------- d-----w- c:\users\Kelsey\AppData\Roaming\SUPERAntiSpyware.com
2012-01-16 03:00 . 2012-01-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-14 21:13 . 2012-01-14 21:13 -------- d-----w- c:\program files\Safari
2012-01-14 14:48 . 2012-01-14 14:48 -------- d-----w- c:\program files\iPod
2012-01-14 14:48 . 2012-01-14 14:49 -------- d-----w- c:\program files\iTunes
2012-01-14 14:45 . 2012-01-14 14:45 -------- d-----w- c:\program files\Bonjour
2012-01-13 14:22 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-13 14:22 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-13 14:22 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-13 14:22 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-13 14:22 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-13 14:22 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-13 14:22 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-13 14:22 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-13 14:22 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-13 14:22 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-12 15:33 . 2012-01-12 15:33 -------- d-----w- c:\windows\system32\SPReview
2012-01-12 14:53 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-11 08:28 . 2011-10-04 22:22 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{24008E2D-FD58-440D-8A5D-96B5362DBE6F}\gapaengine.dll
2012-01-11 08:20 . 2012-01-11 08:20 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-11 02:04 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 02:03 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 02:03 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 02:03 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 02:01 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5BFF57E6-9938-4877-AE47-E574F32EB4B2}\mpengine.dll
2012-01-09 10:24 . 2012-01-09 10:24 -------- d-----w- c:\windows\system32\EventProviders
2012-01-09 10:23 . 2012-01-09 10:24 -------- d-----w- C:\9778c5c1320aacb3c406c14a14df2e7c
2012-01-09 08:34 . 2012-01-09 08:34 -------- d-----w- c:\program files\pdfforge Toolbar
2012-01-09 08:34 . 2012-01-09 08:34 -------- d-----w- c:\program files\Application Updater
2012-01-09 08:34 . 2012-01-09 08:34 -------- d-----w- c:\program files\Common Files\Spigot
2012-01-09 01:07 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-01-08 19:42 . 2012-01-08 19:42 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2012-01-03 16:22 . 2012-01-03 16:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 16:22 . 2012-01-03 16:22 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 15:49 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-01-11 08:25 . 2011-06-20 16:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2010-04-27 00:13 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 19:29 . 2009-10-31 22:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 13:54 . 2010-10-13 23:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-06-30 638976]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"EeeNoteSync"="c:\program files\ASUS\EeeNoteSync\EeeNoteSync.exe" [2011-02-28 1934000]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2011-10-14 273528]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-12-13 922976]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-12-25 113664]
WhiteSmoke Translator.lnk - c:\users\Kelsey\Downloads\WhiteSmokeWriterGeo5002_en.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [x]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
R1 SASDIFSV;SASDIFSV;c:\users\Kelsey\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Kelsey\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2011-12-14 748440]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 TabletServiceISD;TabletServiceISD;c:\program files\Tablet\ISD\ISD_Tablet.exe [2010-11-23 4727152]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-07-13 347136]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
R3 wmamp3DriverV32;wmamp3DriverV32;c:\windows\system32\drivers\wmamp3DriverV32.sys [2010-06-16 23096]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-02-23 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-02-23 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-02-23 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-02-23 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-02-23 25704]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2932146853-1447282935-1446039630-1001Core.job
- c:\users\Kelsey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-15 23:59]
.
2012-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2932146853-1447282935-1446039630-1001UA.job
- c:\users\Kelsey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-15 23:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kelsey\AppData\Roaming\Mozilla\Firefox\Profiles\aadlkce3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/#
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=302398&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: tab-search: tab@search.com - %profile%\extensions\tab@search.com
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - user.js: search.clsid - {74DF0824-4A7F-4110-9CA2-4476964B075A}
FF - user.js: search.sid - 15101055100
FF - user.js: extensions.newAddons - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{13B9BCC3-03D7-4971-86F6-A38A9A43A141} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-01-21 19:44:40
ComboFix-quarantined-files.txt 2012-01-22 03:44
ComboFix2.txt 2010-10-02 18:08
ComboFix3.txt 2010-08-29 15:46
ComboFix4.txt 2010-07-01 03:43
ComboFix5.txt 2012-01-21 17:04
.
Pre-Run: 75,114,209,280 bytes free
Post-Run: 77,007,966,208 bytes free
.
- - End Of File - - 74221E36F6AAED04BF94443F5B1103C2

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 21 January 2012 - 11:16 PM

fredgd:

Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 fredgd

fredgd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 22 January 2012 - 07:47 AM

Hi,
here's the malwarebytes log:

thanks! Fred



Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.22.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Kelsey :: KELSEY-LAPTOP [administrator]

1/21/2012 8:49:14 PM
mbam-log-2012-01-21 (20-49-14).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 540853
Time elapsed: 2 hour(s), 33 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 22 January 2012 - 11:50 AM

fredgd:

How is your computer running now? Please do this next:

Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 fredgd

fredgd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 22 January 2012 - 05:05 PM

Hi, I have not rebooted the computer since the eset scan. it's found threats, but I did not remove them yet. I beleive the computer is running about the same, though I would need to reboot to be sure. I thought I'd await further instrucions prior to rebooting.

Here is the eset log:

C:\Qoobox\Quarantine\C\Users\Kelsey\AppData\Local\Windows Server\hlp.dat.vir Win32/Bamital.DZ trojan
C:\Qoobox\Quarantine\C\Windows\system32\wininit.exe.vir Win32/Patched.FT trojan
C:\Users\Kelsey\AppData\Local\equxurivi.dll Win32/Adware.SpywareProtect2009 application
C:\Users\Kelsey\AppData\Local\udajevula.dll Win32/Adware.SpywareProtect2009 application
C:\Windows\System32\hlp.dat Win32/Bamital.DZ trojan
C:\Windows.old\Documents and Settings\Kelsey\AppData\Local\equxurivi.dll Win32/Adware.SpywareProtect2009 application
C:\Windows.old\Documents and Settings\Kelsey\AppData\Local\udajevula.dll Win32/Adware.SpywareProtect2009 application
C:\Windows.old\Users\Kelsey\AppData\Local\Application Data\equxurivi.dll Win32/Adware.SpywareProtect2009 application
C:\Windows.old\Users\Kelsey\AppData\Local\Application Data\udajevula.dll Win32/Adware.SpywareProtect2009 application
C:\Windows.old\Users\Kelsey\Local Settings\equxurivi.dll Win32/Adware.SpywareProtect2009 application
C:\Windows.old\Users\Kelsey\Local Settings\udajevula.dll Win32/Adware.SpywareProtect2009 application


thanks,
Fred

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 22 January 2012 - 05:27 PM

fredgd:

Please do this then reboot and let me know how it seems:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\Users\Kelsey\AppData\Local\equxurivi.dll
C:\Users\Kelsey\AppData\Local\udajevula.dll
C:\Windows\System32\hlp.dat 
C:\Windows.old\Documents and Settings\Kelsey\AppData\Local\equxurivi.dll 
C:\Windows.old\Documents and Settings\Kelsey\AppData\Local\udajevula.dll 
C:\Windows.old\Users\Kelsey\AppData\Local\Application Data\equxurivi.dll 
C:\Windows.old\Users\Kelsey\AppData\Local\Application Data\udajevula.dll 
C:\Windows.old\Users\Kelsey\Local Settings\equxurivi.dll 
C:\Windows.old\Users\Kelsey\Local Settings\udajevula.dll

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • How is the computer running now?
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 fredgd

fredgd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 22 January 2012 - 07:52 PM

Fantastic, there seems to be no "Bamital.dat" error when MSE starts up.

I ran combofix. I am unable paste the combofix log into this window however, because it's huge and explorer has crashed about 6 times trying.
I then restarted the computer and since MSE was still disabled, I reenabled MSE and restarted again. No MSE Bamital!dat error screen this time.

is there an important section of the combofix log I should post up here? again, the whole thing is too large to post.

thanks,
Fred

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 22 January 2012 - 08:28 PM

Try removing the entire ((((Snapshot))) section.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 fredgd

fredgd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 22 January 2012 - 08:33 PM

Here's the Combofix log, minus snapshot section:


ComboFix 12-01-21.02 - Kelsey 01/22/2012 14:57:39.6.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2430.1677 [GMT -8:00]
Running from: c:\users\Kelsey\Desktop\ComboFix.exe
Command switches used :: c:\users\Kelsey\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\Kelsey\AppData\Local\equxurivi.dll"
"c:\users\Kelsey\AppData\Local\udajevula.dll"
"c:\windows.old\Documents and Settings\Kelsey\AppData\Local\equxurivi.dll"
"c:\windows.old\Documents and Settings\Kelsey\AppData\Local\udajevula.dll"
"c:\windows.old\Users\Kelsey\AppData\Local\Application Data\equxurivi.dll"
"c:\windows.old\Users\Kelsey\AppData\Local\Application Data\udajevula.dll"
"c:\windows.old\Users\Kelsey\Local Settings\equxurivi.dll"
"c:\windows.old\Users\Kelsey\Local Settings\udajevula.dll"
"c:\windows\System32\hlp.dat"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Kelsey\AppData\Local\equxurivi.dll
c:\users\Kelsey\AppData\Local\udajevula.dll
c:\windows.old\Documents and Settings\Kelsey\AppData\Local\equxurivi.dll
c:\windows.old\Documents and Settings\Kelsey\AppData\Local\udajevula.dll
c:\windows.old\Users\Kelsey\AppData\Local\Application Data\equxurivi.dll
c:\windows.old\Users\Kelsey\AppData\Local\Application Data\udajevula.dll
c:\windows.old\Users\Kelsey\Local Settings\equxurivi.dll
c:\windows.old\Users\Kelsey\Local Settings\udajevula.dll
c:\windows\System32\hlp.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 23:12 . 2012-01-22 23:12 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-01-22 23:12 . 2012-01-22 23:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-01-22 23:12 . 2012-01-22 23:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-22 18:03 . 2012-01-22 18:03 -------- d-----w- c:\program files\ESET
2012-01-22 10:12 . 2012-01-22 10:12 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{38BE8482-E99B-48C2-BA1C-59EBE8958D2F}\offreg.dll
2012-01-22 10:11 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{38BE8482-E99B-48C2-BA1C-59EBE8958D2F}\mpengine.dll
2012-01-22 03:44 . 2012-01-22 23:13 -------- d-----w- c:\users\Kelsey\AppData\Local\temp
2012-01-17 04:21 . 2012-01-17 04:21 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-17 04:21 . 2012-01-17 04:21 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 03:00 . 2012-01-16 03:00 -------- d-----w- c:\users\Kelsey\AppData\Roaming\SUPERAntiSpyware.com
2012-01-16 03:00 . 2012-01-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-14 21:13 . 2012-01-14 21:13 -------- d-----w- c:\program files\Safari
2012-01-14 14:48 . 2012-01-14 14:48 -------- d-----w- c:\program files\iPod
2012-01-14 14:48 . 2012-01-14 14:49 -------- d-----w- c:\program files\iTunes
2012-01-14 14:45 . 2012-01-14 14:45 -------- d-----w- c:\program files\Bonjour
2012-01-13 14:22 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-13 14:22 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-13 14:22 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-13 14:22 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-13 14:22 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-13 14:22 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-13 14:22 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-13 14:22 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-13 14:22 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-13 14:22 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-12 15:33 . 2012-01-12 15:33 -------- d-----w- c:\windows\system32\SPReview
2012-01-12 14:53 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-11 08:28 . 2011-10-04 22:22 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{24008E2D-FD58-440D-8A5D-96B5362DBE6F}\gapaengine.dll
2012-01-11 08:20 . 2012-01-11 08:20 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-11 02:04 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 02:03 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 02:03 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 02:03 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 02:01 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5BFF57E6-9938-4877-AE47-E574F32EB4B2}\mpengine.dll
2012-01-09 10:24 . 2012-01-09 10:24 -------- d-----w- c:\windows\system32\EventProviders
2012-01-09 10:23 . 2012-01-09 10:24 -------- d-----w- C:\9778c5c1320aacb3c406c14a14df2e7c
2012-01-09 08:34 . 2012-01-22 18:09 -------- d-----w- c:\program files\Application Updater
2012-01-09 08:34 . 2012-01-09 08:34 -------- d-----w- c:\program files\pdfforge Toolbar
2012-01-09 08:34 . 2012-01-09 08:34 -------- d-----w- c:\program files\Common Files\Spigot
2012-01-09 01:07 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-01-08 19:42 . 2012-01-08 19:42 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2012-01-03 16:22 . 2012-01-03 16:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 16:22 . 2012-01-03 16:22 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 15:49 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-01-11 08:25 . 2011-06-20 16:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2010-04-27 00:13 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 19:29 . 2009-10-31 22:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 13:54 . 2010-10-13 23:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
.


(Snapshot section was here...)


- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-06-30 638976]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"EeeNoteSync"="c:\program files\ASUS\EeeNoteSync\EeeNoteSync.exe" [2011-02-28 1934000]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2011-10-14 273528]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-12-25 113664]
WhiteSmoke Translator.lnk - c:\users\Kelsey\Downloads\WhiteSmokeWriterGeo5002_en.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\Kelsey\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Kelsey\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
R3 wmamp3DriverV32;wmamp3DriverV32;c:\windows\system32\drivers\wmamp3DriverV32.sys [2010-06-16 23096]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-02-23 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-02-23 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-02-23 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-02-23 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-02-23 25704]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S2 TabletServiceISD;TabletServiceISD;c:\program files\Tablet\ISD\ISD_Tablet.exe [2010-11-23 4727152]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-07-13 347136]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mchInjDrv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2932146853-1447282935-1446039630-1001Core.job
- c:\users\Kelsey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-15 23:59]
.
2012-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2932146853-1447282935-1446039630-1001UA.job
- c:\users\Kelsey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-15 23:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kelsey\AppData\Roaming\Mozilla\Firefox\Profiles\aadlkce3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/#
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=302398&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: tab-search: tab@search.com - %profile%\extensions\tab@search.com
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - user.js: search.clsid - {74DF0824-4A7F-4110-9CA2-4476964B075A}
FF - user.js: search.sid - 15101055100
FF - user.js: extensions.newAddons - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-01-22 15:31:17
ComboFix-quarantined-files.txt 2012-01-22 23:31
ComboFix2.txt 2012-01-22 03:44
ComboFix3.txt 2010-10-02 18:08
ComboFix4.txt 2010-08-29 15:46
ComboFix5.txt 2012-01-22 22:55
.
Pre-Run: 76,522,123,264 bytes free
Post-Run: 76,266,364,928 bytes free
.
- - End Of File - - 11216D4F2DE3C2474897FBE55EFF80A8

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 22 January 2012 - 08:57 PM

fredgd:

Your log looks good. Assuming the PC is running well all I have left for you is an update and some very important cleanup:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 fredgd

fredgd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 22 January 2012 - 09:58 PM

OK, followed the instructions for all the various uninstalls. Looking good! Thanks! Indeed, on the p2p, need to work with the kids on that!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users