Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.0Access) won't cure


  • This topic is locked This topic is locked
22 replies to this topic

#1 Jason121

Jason121

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 30 January 2012 - 02:15 AM

Hi!
This is a follow-up topic from a previous post -

http://www.bleepingcomputer.com/forums/topic440263.html/page__gopid__2575214#entry2575214

Summary: Google redirect virus - hasn't been removed with TDSSKiller or Malwarebytes.

Below is the DDS log -
##############################

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Jason at 21:42:15 on 2012-01-29
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.205 [GMT -8:00]
.
AV: Norton Internet Security Netbook Edition *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security Netbook Edition *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security Netbook Edition *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Jason\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jason\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jason\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jason\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jason\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\hkcmd.exe
C:\windows\system32\igfxtray.exe
C:\windows\system32\igfxpers.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Samsung\SamsungFastStart\SmartRestarter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://samsung.msn.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: DealPly: {a6174f27-1fff-e1d6-a93f-ba48ad5dd448} - c:\program files\dealply\DealPlyIE.dll
BHO: W2PBrowser Class: {aa609d72-8482-4076-8991-8cdae5b93bcb} - c:\program files\samsung anyweb print\W2PBrowser.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.0.2237.0\npwinext.dll
TB: @c:\program files\msn toolbar\platform\6.0.2237.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.0.2237.0\npwinext.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
uRun: [Google Update] "c:\users\jason\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [StartNowToolbarHelper] "c:\program files\startnow toolbar\ToolbarHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\srspre~1.lnk - c:\windows\installer\{e5cf6b9c-3abe-43c9-9413-ad5ffc98f049}\NewShortcut4_E9C83B3EDF9141A39DA5EC05C79BBB91.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {328ECD19-C167-40eb-A0C7-16FE7634105E} - {94BB0C4C-B957-479A-85E4-42F53B89F681} - c:\program files\samsung anyweb print\W2PBrowser.dll
LSP: mswsock.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{C93209A4-207B-4AAF-A702-33895185D1EC} : DhcpNameServer = 10.60.25.7 10.60.25.6 10.208.11.83
TCP: Interfaces\{E82CFA94-3BFC-4716-84E7-CB3A3C3B3287} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E82CFA94-3BFC-4716-84E7-CB3A3C3B3287}\058696C6A70234F666665656 : DhcpNameServer = 10.128.128.128
TCP: Interfaces\{E82CFA94-3BFC-4716-84E7-CB3A3C3B3287}\2456C6B696E6F5E413F575962756C6563737F5334463733483 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{E82CFA94-3BFC-4716-84E7-CB3A3C3B3287}\2556460225F636B60234F666665656 : DhcpNameServer = 208.201.224.11 208.201.224.33 206.13.28.12
TCP: Interfaces\{E82CFA94-3BFC-4716-84E7-CB3A3C3B3287}\2556460225F636B60234F6666656560223 : DhcpNameServer = 208.201.224.11 208.201.224.33 206.13.28.12
TCP: Interfaces\{E82CFA94-3BFC-4716-84E7-CB3A3C3B3287}\3547566756E6370234275656B602355726162757 : DhcpNameServer = 10.230.80.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-9-14 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-10-20 821664]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-28 652872]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-9-14 508264]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2011-2-9 297000]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-2-9 33320]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-28 20464]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-9-14 577384]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-9-14 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-9-14 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-9-14 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-9-14 219496]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-7-8 322336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CTMFLT;Oracleorahomemanagementserver;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S2 mclserviceatl;Vcommmgr;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S2 symantecantibotshim;Pdlnepkt;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-2-9 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-28 40776]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2011-2-9 131888]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2012-01-28 16:52:00 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-28 16:03:04 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-28 16:03:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-28 05:30:49 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-28 04:04:47 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-01-28 02:46:01 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-28 02:45:57 -------- d-----w- c:\program files\HitmanPro
2012-01-28 02:45:08 -------- d-----w- c:\programdata\HitmanPro
2012-01-28 02:14:40 -------- d-----w- c:\users\jason\appdata\roaming\Malwarebytes
2012-01-28 02:14:21 -------- d-----w- c:\programdata\Malwarebytes
2012-01-28 01:22:07 -------- d-----w- c:\users\jason\appdata\local\NPE
2012-01-27 14:01:06 -------- d-----w- c:\users\jason\appdata\local\Symantec
2012-01-21 16:35:57 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-01-21 16:16:18 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-21 16:15:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-21 16:14:52 -------- d-sh--w- c:\users\jason\appdata\local\ca017659
2012-01-18 03:55:57 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7a31954a-1174-4f33-9e15-74ba95ba65ef}\mpengine.dll
2012-01-12 13:45:58 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-12 13:45:58 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-12 13:45:58 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-12 13:45:58 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-12 13:45:58 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-12 13:45:57 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-12 13:45:57 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-12 13:45:57 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-12 13:45:57 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-12 13:45:57 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-12 03:26:16 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-12 03:26:10 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-12 03:26:03 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-12 03:26:02 514560 ----a-w- c:\windows\system32\qdvd.dll
.
==================== Find3M ====================
.
2012-01-28 05:25:26 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 22:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-05 04:35:50 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:34:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 04:30:11 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 03:28:41 386048 ----a-w- c:\windows\system32\html.iec
2011-11-05 02:55:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 21:43:45.17 ===============
###########################################

Attached is the DDS Attach log file. I'll attach the GMER log (Ark.txt) in a separate post.
Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 Jason121

Jason121
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 30 January 2012 - 03:07 AM

Here's the GMER log file (ark.log). The system hung during the first attempt, but the second time was successful
Thanks!

Attached Files

  • Attached File  ark.log   41.16KB   0 downloads


#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 30 January 2012 - 07:47 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 Jason121

Jason121
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 01 February 2012 - 10:55 AM

Thanks. ComboFix ran fine with multiple reboots during the process. Below is the log file it generated -
###############################

ComboFix 12-01-31.01 - Jason 02/01/2012 7:29.1.4 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.402 [GMT -8:00]
Running from: c:\users\Jason\Desktop\ComboFix.exe
AV: Norton Internet Security Netbook Edition *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security Netbook Edition *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security Netbook Edition *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\StartNow Toolbar
c:\program files\StartNow Toolbar\Resources\images\engine_images.png
c:\program files\StartNow Toolbar\Resources\images\engine_maps.png
c:\program files\StartNow Toolbar\Resources\images\engine_news.png
c:\program files\StartNow Toolbar\Resources\images\engine_videos.png
c:\program files\StartNow Toolbar\Resources\images\engine_web.png
c:\program files\StartNow Toolbar\Resources\images\icon_amazon.png
c:\program files\StartNow Toolbar\Resources\images\icon_ebay.png
c:\program files\StartNow Toolbar\Resources\images\icon_facebook.png
c:\program files\StartNow Toolbar\Resources\images\icon_games.png
c:\program files\StartNow Toolbar\Resources\images\icon_msn.png
c:\program files\StartNow Toolbar\Resources\images\icon_shopping.png
c:\program files\StartNow Toolbar\Resources\images\icon_travel.png
c:\program files\StartNow Toolbar\Resources\images\icon_twitter.png
c:\program files\StartNow Toolbar\Resources\images\startnow_logo.png
c:\program files\StartNow Toolbar\Resources\installer.xml
c:\program files\StartNow Toolbar\Resources\protect\index.html
c:\program files\StartNow Toolbar\Resources\protect\NotIE6.css
c:\program files\StartNow Toolbar\Resources\protect\OnlyIE6.css
c:\program files\StartNow Toolbar\Resources\protect\SearchProtectIcon.png
c:\program files\StartNow Toolbar\Resources\protect\window.css
c:\program files\StartNow Toolbar\Resources\protect\window.js
c:\program files\StartNow Toolbar\Resources\reactivate\index.html
c:\program files\StartNow Toolbar\Resources\reactivate\LeftImage.png
c:\program files\StartNow Toolbar\Resources\reactivate\NotIE6.css
c:\program files\StartNow Toolbar\Resources\reactivate\OnlyIE6.css
c:\program files\StartNow Toolbar\Resources\reactivate\window.css
c:\program files\StartNow Toolbar\Resources\reactivate\window.js
c:\program files\StartNow Toolbar\Resources\skin\chevron_button.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_background.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_left.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
c:\program files\StartNow Toolbar\Resources\skin\separator.png
c:\program files\StartNow Toolbar\Resources\skin\splitter.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
c:\program files\StartNow Toolbar\Resources\toolbar.xml
c:\program files\StartNow Toolbar\Resources\update.xml
c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
c:\program files\StartNow Toolbar\ToOLbar32.dll
c:\program files\StartNow Toolbar\uninstall.dat
c:\programdata\FullRemove.exe
c:\users\Jason\AppData\Local\ca017659\U\000000c0.@
c:\users\Jason\AppData\Local\ca017659\U\000000cb.@
c:\users\Jason\AppData\Local\ca017659\U\000000cf.@
c:\users\Jason\AppData\Local\ca017659\U\80000000.@
c:\users\Jason\AppData\Local\ca017659\U\800000cf.@
c:\windows\$NtUninstallKB17319$
c:\windows\$NtUninstallKB17319$\3389093465\@
c:\windows\$NtUninstallKB17319$\3389093465\L\xadqgnnk
c:\windows\$NtUninstallKB17319$\3389093465\loader.tlb
c:\windows\$NtUninstallKB17319$\3389093465\U\@00000001
c:\windows\$NtUninstallKB17319$\3389093465\U\@000000c0
c:\windows\$NtUninstallKB17319$\3389093465\U\@000000cb
c:\windows\$NtUninstallKB17319$\3389093465\U\@000000cf
c:\windows\$NtUninstallKB17319$\3389093465\U\@80000000
c:\windows\$NtUninstallKB17319$\3389093465\U\@800000c0
c:\windows\$NtUninstallKB17319$\3389093465\U\@800000cb
c:\windows\$NtUninstallKB17319$\3389093465\U\@800000cf
c:\windows\$NtUninstallKB17319$\366220689
c:\windows\system32\WaveFDE.dll
.
Infected copy of c:\windows\system32\DRIVERS\netbt.sys was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy3_!Windows!System32!drivers!netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-01 to 2012-02-01 )))))))))))))))))))))))))))))))
.
.
2012-02-01 15:43 . 2012-02-01 15:45 -------- d-----w- c:\users\Jason\AppData\Local\temp
2012-02-01 15:43 . 2012-02-01 15:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-01 15:31 . 2012-02-01 15:31 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-02-01 15:31 . 2012-02-01 15:31 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-02-01 15:31 . 2012-02-01 15:31 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-02-01 15:21 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-28 16:03 . 2012-01-28 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-28 16:03 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-28 05:30 . 2012-01-28 05:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-28 04:04 . 2012-01-28 15:58 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-01-28 02:46 . 2012-01-28 04:21 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-28 02:45 . 2012-01-28 02:45 -------- d-----w- c:\program files\HitmanPro
2012-01-28 02:45 . 2012-01-28 02:58 -------- d-----w- c:\programdata\HitmanPro
2012-01-28 02:14 . 2012-01-28 02:14 -------- d-----w- c:\users\Jason\AppData\Roaming\Malwarebytes
2012-01-28 02:14 . 2012-01-28 02:14 -------- d-----w- c:\programdata\Malwarebytes
2012-01-28 01:22 . 2012-01-28 01:38 -------- d-----w- c:\users\Jason\AppData\Local\NPE
2012-01-27 14:01 . 2012-01-27 14:01 -------- d-----w- c:\users\Jason\AppData\Local\Symantec
2012-01-21 16:35 . 2012-01-21 16:35 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-01-21 16:16 . 2012-02-01 15:04 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-21 16:15 . 2012-01-21 16:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-21 16:14 . 2012-01-27 03:10 -------- d-sh--w- c:\users\Jason\AppData\Local\ca017659
2012-01-18 03:55 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7A31954A-1174-4F33-9E15-74BA95BA65EF}\mpengine.dll
2012-01-12 13:45 . 2011-11-17 05:48 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-12 13:45 . 2011-11-17 05:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-12 13:45 . 2011-11-17 05:42 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-12 13:45 . 2011-11-17 05:39 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-12 13:45 . 2011-11-17 05:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-12 13:45 . 2011-11-17 05:39 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-12 13:45 . 2011-11-17 05:39 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-12 13:45 . 2011-11-17 05:39 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-12 13:45 . 2011-11-17 05:39 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-12 13:45 . 2011-11-17 05:36 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-12 03:26 . 2011-11-17 05:41 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-12 03:26 . 2011-11-19 14:06 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-12 03:26 . 2011-10-26 04:28 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-12 03:26 . 2011-10-26 04:28 514560 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-28 05:25 . 2011-06-15 23:38 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-24 04:23 . 2011-12-17 15:26 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 22:29 . 2011-02-10 04:12 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-05 04:35 . 2011-12-17 15:26 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:34 . 2011-12-17 15:26 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 04:30 . 2011-12-17 15:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 03:28 . 2011-12-17 15:26 386048 ----a-w- c:\windows\system32\html.iec
2011-11-05 02:55 . 2011-12-17 15:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-08-04 9398888]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-21 1770792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-21 836896]
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut4_E9C83B3EDF9141A39DA5EC05C79BBB91.exe [2010-9-14 156952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EraserUtilDrv11010;EraserUtilDrv11010;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [x]
R3 EraserUtilDrvI13;EraserUtilDrvI13;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI13.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-08-09 131888]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-25 652872]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-13 297000]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 33320]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-09-14 577384]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-09-14 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-09-14 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-09-14 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-07-08 322336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
NETSVCS REQUIRES REPAIRS - current entries shown
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
adpu160m
L6POD
e100b
Alpham1
nlsvc
AppnBase
WmFilter
F700iob
ASDR
prohlp02
se45unic
asuskbnt
VNUSB
mclserviceatl
lmouflt2
roxmediadb9
apfiltrservice
palmusbd
JiaoCap
mxnic
dladresm
zpcollector
wmccdsls
ovepstatusengine
tiumfwl
lvpopflt
CVirtA
crystaloutputfileserver
abnetmon
PDExchange
CTMFLT
foldersize
wmccds
TICalc
rollbackclientservice
scanexplicit
sbcssvc
FET5X86V
symantecantibotshim
nscservice
regdefend
CTEDSPIO.DLL
SE2Cbus
spupdsvc
DSI_SiUSBXp_3_1
hf30service
catchme
dklogger
BcmSqlStartupSvc
mksupdateint
s116mgmt
tones
lxbu_device
IBM_LLC2
pdreli
mfetdik
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
BDESVC
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2712454429-1394185644-1912644009-1000Core.job
- c:\users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-10 04:38]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2712454429-1394185644-1912644009-1000UA.job
- c:\users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-10 04:38]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{328ECD19-C167-40eb-A0C7-16FE7634105E} - {94BB0C4C-B957-479A-85E4-42F53B89F681} - c:\program files\Samsung AnyWeb Print\W2PBrowser.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-StartNowToolbarHelper - c:\program files\StartNow Toolbar\ToolbarHelper.exe
SafeBoot-41362082.sys
SafeBoot-80868284.sys
AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3348)
c:\program files\Samsung\Movie Color Enhancer\WinCRT.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Samsung\Easy Display Manager\dmhkcore.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxtray.exe
c:\windows\system32\igfxpers.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
c:\program files\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
c:\program files\Samsung\SamsungFastStart\SmartRestarter.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
c:\program files\Samsung\Samsung Support Center\SSCKbdHk.exe
c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe
.
**************************************************************************
.
Completion time: 2012-02-01 07:51:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-01 15:51
.
Pre-Run: 23,711,838,208 bytes free
Post-Run: 23,773,110,272 bytes free
.
- - End Of File - - A8B1DFFBAD71B00A80808CC8BF757564
#####################################################################

#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 01 February 2012 - 08:08 PM

Hi,

Please do this next:

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
swreg query hklm\system\currentcontrolset\services /s |(
SED -r "/^HK|^ +ImagePath.*-k netsvcs/I!d" |(
SED -r ":a; $!N;s/\n.*\t.*/\t/;ta;P;D" |(
SED -r "/.*\\(.*)\t/!d; s//\1/"
)))>Log.txt
Start Notepad Log.txt


Save this as list.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Right click on list.bat and select "Run as administrator". A notepad file will open. Copy that information into your next reply, please.

Please include the following in your next post:
  • list.bat results

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 Jason121

Jason121
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 01 February 2012 - 09:28 PM

Here's the results from list.bat -
********************************************

abnetmon
adpu160m
AeLookupSvc
Alpham1
apfiltrservice
Appinfo
AppMgmt
AppnBase
ASDR
asuskbnt
BcmSqlStartupSvc
BDESVC
BITS
Browser
CertPropSvc
crystaloutputfileserver
CTEDSPIO.DLL
CTMFLT
CVirtA
dklogger
dladresm
DSI_SiUSBXp_3_1
EapHost
F700iob
FET5X86V
foldersize
gpsvc
hf30service
hkmsvc
IKEEXT
JiaoCap
LanmanServer
lmouflt2
lvpopflt
mclserviceatl
MMCSS
MSiSCSI
mxnic
nlsvc
nscservice
ovepstatusengine
palmusbd
PDExchange
pdreli
ProfSvc
prohlp02
RasAuto
RasMan
regdefend
RemoteAccess
rollbackclientservice
roxmediadb9
s116mgmt
sbcssvc
scanexplicit
Schedule
SCPolicySvc
SE2Cbus
se45unic
seclogon
SENS
SessionEnv
SharedAccess
ShellHWDetection
spupdsvc
symantecantibotshim
Themes
TICalc
tiumfwl
tones
VNUSB
wercplsupport
Winmgmt
wmccds
wmccdsls
WmFilter
wuauserv
zpcollector
*************************************

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 01 February 2012 - 10:57 PM

Hi,

Please do this next:

  • Open notepad and copy/paste the text in the box below into it:

    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
    "netsvcs"=hex(7):61,62,6e,65,74,6d,6f,6e,00,61,64,70,75,31,36,30,6d,00,41,65,4c,6f,6f,\
      6b,75,70,53,76,63,00,41,6c,70,68,61,6d,31,00,61,70,66,69,6c,74,72,73,65,72,\
      76,69,63,65,00,41,70,70,69,6e,66,6f,00,41,70,70,4d,67,6d,74,00,41,70,70,6e,\
      42,61,73,65,00,41,53,44,52,00,61,73,75,73,6b,62,6e,74,00,42,63,6d,53,71,6c,\
      53,74,61,72,74,75,70,53,76,63,00,42,44,45,53,56,43,00,42,49,54,53,00,42,72,\
      6f,77,73,65,72,00,43,65,72,74,50,72,6f,70,53,76,63,00,63,72,79,73,74,61,6c,\
      6f,75,74,70,75,74,66,69,6c,65,73,65,72,76,65,72,00,43,54,45,44,53,50,49,4f,\
      2e,44,4c,4c,00,43,54,4d,46,4c,54,00,43,56,69,72,74,41,00,64,6b,6c,6f,67,67,\
      65,72,00,64,6c,61,64,72,65,73,6d,00,44,53,49,5f,53,69,55,53,42,58,70,5f,33,\
      5f,31,00,45,61,70,48,6f,73,74,00,46,37,30,30,69,6f,62,00,46,45,54,35,58,38,\
      36,56,00,66,6f,6c,64,65,72,73,69,7a,65,00,67,70,73,76,63,00,68,66,33,30,73,\
      65,72,76,69,63,65,00,68,6b,6d,73,76,63,00,49,4b,45,45,58,54,00,4a,69,61,6f,\
      43,61,70,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,6c,6d,6f,75,66,6c,74,32,\
      00,6c,76,70,6f,70,66,6c,74,00,6d,63,6c,73,65,72,76,69,63,65,61,74,6c,00,4d,\
      4d,43,53,53,00,4d,53,69,53,43,53,49,00,6d,78,6e,69,63,00,6e,6c,73,76,63,00,\
      6e,73,63,73,65,72,76,69,63,65,00,6f,76,65,70,73,74,61,74,75,73,65,6e,67,69,\
      6e,65,00,70,61,6c,6d,75,73,62,64,00,50,44,45,78,63,68,61,6e,67,65,00,70,64,\
      72,65,6c,69,00,50,72,6f,66,53,76,63,00,70,72,6f,68,6c,70,30,32,00,52,61,73,\
      41,75,74,6f,00,52,61,73,4d,61,6e,00,72,65,67,64,65,66,65,6e,64,00,52,65,6d,\
      6f,74,65,41,63,63,65,73,73,00,72,6f,6c,6c,62,61,63,6b,63,6c,69,65,6e,74,73,\
      65,72,76,69,63,65,00,72,6f,78,6d,65,64,69,61,64,62,39,00,73,31,31,36,6d,67,\
      6d,74,00,73,62,63,73,73,76,63,00,73,63,61,6e,65,78,70,6c,69,63,69,74,00,53,\
      63,68,65,64,75,6c,65,00,53,43,50,6f,6c,69,63,79,53,76,63,00,53,45,32,43,62,\
      75,73,00,73,65,34,35,75,6e,69,63,00,73,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,\
      00,53,65,73,73,69,6f,6e,45,6e,76,00,53,68,61,72,65,64,41,63,63,65,73,73,00,\
      53,68,65,6c,6c,48,57,44,65,74,65,63,74,69,6f,6e,00,73,70,75,70,64,73,76,63,\
      00,73,79,6d,61,6e,74,65,63,61,6e,74,69,62,6f,74,73,68,69,6d,00,54,68,65,6d,\
      65,73,00,54,49,43,61,6c,63,00,74,69,75,6d,66,77,6c,00,74,6f,6e,65,73,00,56,\
      4e,55,53,42,00,77,65,72,63,70,6c,73,75,70,70,6f,72,74,00,57,69,6e,6d,67,6d,\
      74,00,77,6d,63,63,64,73,00,77,6d,63,63,64,73,6c,73,00,57,6d,46,69,6c,74,65,\
      72,00,77,75,61,75,73,65,72,76,00,7a,70,63,6f,6c,6c,65,63,74,6f,72,00,41,75,\
      64,69,6f,53,72,76,00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,\
      6f,6d,70,61,74,69,62,69,6c,69,74,79,00,68,65,6c,70,73,76,63,00,49,61,73,00,\
      69,70,68,6c,70,73,76,63,00,49,72,6d,6f,6e,00,4c,6f,67,6f,6e,48,6f,75,72,73,\
      00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,61,74,69,\
      6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,50,43,41,75,64,69,74,00,53,52,53,\
      65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,65,72,6d,53,65,72,76,69,63,\
      65,00,75,70,6c,6f,61,64,6d,67,72,00,57,6d,64,6d,50,6d,53,70,00,57,6d,69,00,\
      00
  • Save this as fix.reg Choose to "Save type as - All Files"
  • Double click the fix.reg file on your desktop and confirm the prompts that you wish to make the changes.

Please include the following in your next post:
  • Let me know when you've completed these instructions

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 Jason121

Jason121
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 01 February 2012 - 11:09 PM

Hi!
I completed the fix.reg operation. It said the keys have been added to the registry.
Anything else?
Thanks!

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 01 February 2012 - 11:17 PM

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DirLook::

DirLook::
c:\users\Jason\AppData\Local\ca017659

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 Jason121

Jason121
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 01 February 2012 - 11:29 PM

It says there is a newer version of ComboFix available.
Should I update Combofix or stay w/ the original version?
Thanks!

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 01 February 2012 - 11:32 PM

Please allow it to update.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 Jason121

Jason121
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 02 February 2012 - 01:18 AM

Hi!
Here's the combofix log (no reboot was required) -
##############################

ComboFix 12-02-01.01 - Jason 02/01/2012 20:38:07.2.4 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.523 [GMT -8:00]
Running from: c:\users\Jason\Desktop\ComboFix.exe
Command switches used :: c:\users\Jason\Desktop\CFScript.txt
AV: Norton Internet Security Netbook Edition *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security Netbook Edition *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security Netbook Edition *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
.
.
2012-02-02 04:50 . 2012-02-02 04:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-02 04:50 . 2012-02-02 04:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-02-01 15:47 . 2012-02-01 15:47 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-02-01 15:47 . 2012-02-01 15:47 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-01-28 16:03 . 2012-01-28 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-28 16:03 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-28 05:30 . 2012-01-28 05:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-28 04:04 . 2012-01-28 15:58 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-01-28 02:46 . 2012-01-28 04:21 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-28 02:45 . 2012-01-28 02:45 -------- d-----w- c:\program files\HitmanPro
2012-01-28 02:45 . 2012-01-28 02:58 -------- d-----w- c:\programdata\HitmanPro
2012-01-28 02:14 . 2012-01-28 02:14 -------- d-----w- c:\users\Jason\AppData\Roaming\Malwarebytes
2012-01-28 02:14 . 2012-01-28 02:14 -------- d-----w- c:\programdata\Malwarebytes
2012-01-28 01:22 . 2012-01-28 01:38 -------- d-----w- c:\users\Jason\AppData\Local\NPE
2012-01-27 14:01 . 2012-01-27 14:01 -------- d-----w- c:\users\Jason\AppData\Local\Symantec
2012-01-21 16:35 . 2012-01-21 16:35 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-01-21 16:16 . 2012-02-01 15:04 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-21 16:15 . 2012-01-21 16:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-21 16:14 . 2012-01-27 03:10 -------- d-sh--w- c:\users\Jason\AppData\Local\ca017659
2012-01-18 03:55 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7A31954A-1174-4F33-9E15-74BA95BA65EF}\mpengine.dll
2012-01-12 13:45 . 2011-11-17 05:48 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-12 13:45 . 2011-11-17 05:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-12 13:45 . 2011-11-17 05:42 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-12 13:45 . 2011-11-17 05:39 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-12 13:45 . 2011-11-17 05:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-12 13:45 . 2011-11-17 05:39 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-12 13:45 . 2011-11-17 05:39 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-12 13:45 . 2011-11-17 05:39 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-12 13:45 . 2011-11-17 05:39 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-12 13:45 . 2011-11-17 05:36 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-12 03:26 . 2011-11-17 05:41 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-12 03:26 . 2011-11-19 14:06 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-12 03:26 . 2011-10-26 04:28 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-12 03:26 . 2011-10-26 04:28 514560 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-28 05:25 . 2011-06-15 23:38 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-24 04:23 . 2011-12-17 15:26 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 22:29 . 2011-02-10 04:12 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-05 04:35 . 2011-12-17 15:26 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:34 . 2011-12-17 15:26 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 04:30 . 2011-12-17 15:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 03:28 . 2011-12-17 15:26 386048 ----a-w- c:\windows\system32\html.iec
2011-11-05 02:55 . 2011-12-17 15:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Jason\AppData\Local\ca017659 ----
.
2012-01-21 16:14 . 2012-01-21 16:14 2048 --sha-w- c:\users\Jason\AppData\Local\ca017659\@
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-08-04 9398888]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-21 1770792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-21 836896]
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut4_E9C83B3EDF9141A39DA5EC05C79BBB91.exe [2010-9-14 156952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EraserUtilDrv11010;EraserUtilDrv11010;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [x]
R3 EraserUtilDrvI13;EraserUtilDrvI13;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI13.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-08-09 131888]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-25 652872]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-13 297000]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 33320]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-09-14 577384]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-09-14 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-09-14 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-09-14 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-07-08 322336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
abnetmon
adpu160m
Alpham1
apfiltrservice
AppnBase
ASDR
asuskbnt
BcmSqlStartupSvc
crystaloutputfileserver
CTEDSPIO.DLL
CTMFLT
CVirtA
dklogger
dladresm
DSI_SiUSBXp_3_1
F700iob
FET5X86V
foldersize
hf30service
JiaoCap
lmouflt2
lvpopflt
mclserviceatl
mxnic
nlsvc
nscservice
ovepstatusengine
palmusbd
PDExchange
pdreli
prohlp02
regdefend
rollbackclientservice
roxmediadb9
s116mgmt
sbcssvc
scanexplicit
SE2Cbus
se45unic
spupdsvc
symantecantibotshim
TICalc
tiumfwl
tones
VNUSB
wmccds
wmccdsls
WmFilter
zpcollector
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2712454429-1394185644-1912644009-1000Core.job
- c:\users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-10 04:38]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2712454429-1394185644-1912644009-1000UA.job
- c:\users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-10 04:38]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{328ECD19-C167-40eb-A0C7-16FE7634105E} - {94BB0C4C-B957-479A-85E4-42F53B89F681} - c:\program files\Samsung AnyWeb Print\W2PBrowser.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5992)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
.
Completion time: 2012-02-01 20:54:48
ComboFix-quarantined-files.txt 2012-02-02 04:54
ComboFix2.txt 2012-02-01 15:51
.
Pre-Run: 22,854,959,104 bytes free
Post-Run: 22,805,078,016 bytes free
.
- - End Of File - - 73A2D2B29369B141ADA0940449123C60
######################################################################

And here's the MBAM log (5 entries from C:\Qoobox were left unchecked. All other entries were left checked and removed). Reboot was required.
######################################################

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.02.02

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Jason :: JASON-PC [administrator]

Protection: Disabled

2/1/2012 9:02:31 PM
mbam-log-2012-02-01 (21-02-31).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 278509
Time elapsed: 1 hour(s), 6 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FoxTab PDF Converter (Adware.InstallCore) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\ca017659\U\000000c0.@.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\ca017659\U\000000cb.@.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\ca017659\U\000000cf.@.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_MSIL\desktop.ini.vir (Rootkit.0Access) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\system32\WaveFDE.dll.vir (Rootkit.0Access) -> No action taken.
C:\Program Files\FoxTabPDFConverter\Uninstall\Uninstall.exe (Adware.InstallCore) -> Quarantined and deleted successfully.
c:\windows\assembly\gac_msil\ (Rootkit.0Access) -> Delete on reboot.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

(end)
##########################################

Thanks!

#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 02 February 2012 - 06:46 PM

How is your computer running now? Please do this next:

Posted Image Open an elevated command window:
  • Click Start and type cmd in Start Search.
  • When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.
  • Copy the contents of the following code box then right click in the command window, select paste and press "Enter"

cmd /c rd "c:\users\Jason\AppData\Local\ca017659\@"
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 Jason121

Jason121
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 02 February 2012 - 11:47 PM

Hi!
The computer doesn't seem to be redirecting search results anymore which is good news.
As for the latest results -
The cmd operation didn't work. 'The directory name is invalid' was the returned response after executing the rd command.
I ran ESET and it seemed to behave slightly differently than described (no 'Scan unwanted applications' option although all others existed and were properly configured). Either way, I ran the scan and it found 11 infected files. Below are those results -
######################################
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\StartNowToolbarUninstall.exe.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToOLbar32.dll.vir a variant of Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\ca017659\U\000000c0.@.vir Win32/Redirector.A trojan
C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\ca017659\U\000000cb.@.vir Win32/Redirector.A trojan
C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\ca017659\U\000000cf.@.vir Win32/Redirector.A trojan
C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\ca017659\U\80000000.@.vir Win32/Sirefef.DV trojan
C:\Qoobox\Quarantine\C\Users\Jason\AppData\Local\ca017659\U\800000cf.@.vir probably a variant of Win32/Sirefef.DV trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.EF trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir Win32/Sirefef.DA trojan
C:\TDSSKiller_Quarantine\27.01.2012_21.29.43\rtkt0000\svc0000\tsk0000.dta Win32/Sirefef.DA trojan
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys Win32/Sirefef.DA trojan
#####################################

Next steps?
Thanks!

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 03 February 2012 - 10:37 AM

Hi,

I made an error in that command, sorry? This will fix that and take care of that one ESET detection that isn't already in quarantine:

Posted Image Open an elevated command window:
  • Click Start and type cmd in Start Search.
  • When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.
  • Copy the contents of the following code box then right click in the command window, select paste and press "Enter"

    cmd /c rd "c:\users\Jason\AppData\Local\ca017659
  • Repeat the above process with this command:

cmd /c del /a/f/q "<file.path>"C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys"

Other than those, your logs look good! All I have left for you is an update and some very important cleanup:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
  • MiniToolBox
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users