Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS won't run and net connection lost after trojan removal


  • This topic is locked This topic is locked
13 replies to this topic

#1 bilgerat

bilgerat

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 07 February 2012 - 03:56 AM

Unfortunately my kids managed to get their win7 PC infected with Trojan(s). I have partially rectified the problem but it doesn’t seem to be completely clean and there are some other residual issues.

AVG was on the machine which detected the infection but wasn’t able to stop it or clean it up.

I installed and ran malwarebytes in safe mode initially with the network disconnected and then subsequently after a normal boot with the network connected. After this there was a subsequent reinfection. They had some P2P app installed and I uninstalled that.

I ran malwarebytes again and subsequent scans have not picked anything up. The machine lost it’s proxy settings through this process so there is no internet connection. I have gone into network settings and made sure it gets the IP and DNS server addresses automatically but still no joy.

As the PC is not on the net anymore I downloaded DSS on another machine and burnt a cd. Unfortunately when I try to run dss off the cd it wouldn’t and I couldn’t copy it to the desktop from the cd or a usb either. Not sure why.

I am seriously considering backing up the data on this machine and doing a complete reinstall of windows. Any advice would be appreciated.

Just to add malwarebytes ID'd the infection as zeroaccess rootkit

Edited by bilgerat, 07 February 2012 - 04:00 AM.


BC AdBot (Login to Remove)

 


#2 bilgerat

bilgerat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 07 February 2012 - 05:57 AM

Got DDS to run after booting in safe mode lag below and attached.

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Simon at 18:14:51 on 2012-02-07
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.2046.1370 [GMT 8:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\helppane.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [Brdefprn] c:\program files\brother\brhl2150\Brdefprn.exe -d
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0AMwA4ADQANQA5ADkAMAAxADAALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQQArADEALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsAMQAzADEAOAAzAC0ARABEADkAMABGACsAMQAtAFMAVAA5ADAARgBBAFAAUAArADEALQBGADkAMABNADEAMgBEAFQAKwAxAC0AVABCAE4AKwAxAC0AVQA5ADUAKwAxAC0ARgBVAEkAKwAyAA"&"prod=90"&"ver=9.0.894
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A1DF0D1C-2C0B-44F2-9BD1-A8E66A0A53E3} : DhcpNameServer = 192.168.1.254
AppInit_DLLs: c:\windows\system32\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-12-19 19600]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-11-23 1052472]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-8-13 13480]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-1-17 491816]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-12-19 39640]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-15 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-23 652872]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-8-13 4497704]
S2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-8-13 113448]
S3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-8-4 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-8-4 214016]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-6-11 25728]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-7-15 101904]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-15 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-23 20464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-8-13 16168]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-14 1343400]
.
=============== Created Last 30 ================
.
2012-02-05 08:39:06 -------- d-----w- c:\users\simon.fox-pc\appdata\roaming\Malwarebytes
2012-02-05 07:47:02 -------- d-----w- c:\users\simon.fox-pc\appdata\local\ATI
2012-01-26 06:01:23 -------- d--h--w- C:\VritualRoot
2012-01-26 05:36:32 -------- d-----w- c:\programdata\CPA_VA
2012-01-26 04:27:31 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-01-26 04:26:19 -------- d-----w- c:\programdata\Comodo
2012-01-26 04:26:11 -------- d-----w- c:\program files\Comodo
2012-01-26 04:26:10 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-01-23 13:34:49 -------- d-----w- c:\programdata\Malwarebytes
2012-01-23 13:34:48 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-23 13:34:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-17 13:00:42 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-17 02:13:24 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-01-17 02:03:22 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-13 07:27:55 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-13 07:27:55 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-13 07:27:55 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-13 07:27:55 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-13 07:27:55 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-13 07:27:55 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-13 07:27:55 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-13 07:27:55 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-13 07:27:55 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-13 07:27:55 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-11 01:25:21 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 01:25:16 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 01:25:10 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 01:25:10 1328640 ----a-w- c:\windows\system32\quartz.dll
.
==================== Find3M ====================
.
2011-12-19 10:59:14 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59:12 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58:56 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-13 15:23:11 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys
2011-12-13 15:23:11 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 18:15:41.19 ===============

Attached Files


Edited by bilgerat, 07 February 2012 - 08:50 AM.


#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:06 AM

Posted 07 February 2012 - 09:45 PM

Hi bilgerat,

I will be handling your logs to help you get cleaned up. Please give me some time to look them over and I will get back to you as soon as possible. Thanks in advance for your patience.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:06 AM

Posted 08 February 2012 - 08:59 AM

bilgerat,

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


:step1: Please post the latest Malwarebytes log in your next reply (found under the Logs tab).

:step2: Download and Run Combofix
You can download Combofix from one of these links. If you still cannot access the Internet, download Combofix to a flash drive or CD on a clean computer, and copy it to the desktop of your infected computer.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

:step3: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

In your next reply, please include:
  • Latest Malearebytes log
  • Combofix log
  • FSS log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:06 AM

Posted 11 February 2012 - 09:54 AM

Hi bilgerat,

It has been 3 days since my last post. Do you still need help?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 bilgerat

bilgerat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 11 February 2012 - 10:39 PM

Sorry I read your original post before you edited it.

Didn't realise you had as the notification only occurs for new posts not for edits.

I will run your sggestions and get back today.

Otherwise no problem with the keylogger as the machine is only the kids one and I use a linux machine.

#7 bilgerat

bilgerat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 13 February 2012 - 06:02 AM

I've posted the logs requested below.
I notice ComboFix reports AVG is still installed even though I did run the uninstall utility, not sure why that didn't get rid of it.
Also FSS wouldn't run in normal mode and I had to boot in safe mode to run it.

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.25.06

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
Fox :: FOX-PC [administrator]

Protection: Enabled

12/02/2012 3:16:41 PM
mbam-log-2012-02-12 (15-16-41).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 333540
Time elapsed: 31 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ComboFix 12-02-11.03 - Fox 13/02/2012 7:10.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.2046.1458 [GMT 8:00]
Running from: c:\users\Fox\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB53947$
c:\windows\$NtUninstallKB53947$\335529508
c:\windows\$NtUninstallKB53947$\494284850\@
c:\windows\$NtUninstallKB53947$\494284850\L\fhlyzicf
c:\windows\system32\dds_log_trash.cmd
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-05 07:46 . 2012-02-05 07:46 -------- d-----w- c:\users\Simon.Fox-PC
2012-01-26 06:01 . 2012-01-26 06:01 -------- d-----w- C:\VritualRoot
2012-01-26 05:36 . 2012-01-26 06:23 -------- d-----w- c:\users\Fox\AppData\Local\COMODO
2012-01-26 05:36 . 2012-01-26 05:36 -------- d-----w- c:\programdata\CPA_VA
2012-01-26 04:27 . 2012-02-05 08:27 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-01-26 04:26 . 2012-01-26 04:27 -------- d-----w- c:\programdata\Comodo
2012-01-26 04:26 . 2012-01-26 04:26 -------- d-----w- c:\program files\Comodo
2012-01-26 04:26 . 2012-01-26 04:26 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-01-23 13:35 . 2012-01-23 13:35 -------- d-----w- c:\users\Fox\AppData\Roaming\Malwarebytes
2012-01-23 13:34 . 2012-01-23 13:34 -------- d-----w- c:\programdata\Malwarebytes
2012-01-23 13:34 . 2012-01-23 13:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-23 13:34 . 2011-12-10 07:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-17 02:13 . 2012-01-17 02:13 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-01-17 02:02 . 2012-01-17 12:39 -------- d-sh--w- c:\users\Fox\AppData\Local\1d763032
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-13 15:23 . 2009-06-10 19:19 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys
2011-12-13 15:23 . 2009-06-10 19:19 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2011-11-24 04:23 . 2011-12-14 01:53 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:06 . 2012-01-11 01:25 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:48 . 2012-01-13 07:27 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2011-11-17 05:48 . 2012-01-13 07:27 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-11-17 05:42 . 2012-01-13 07:27 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2011-11-17 05:41 . 2012-01-11 01:25 1288984 ----a-w- c:\windows\system32\ntdll.dll
2011-11-17 05:39 . 2012-01-13 07:27 314368 ----a-w- c:\windows\system32\webio.dll
2011-11-17 05:39 . 2012-01-13 07:27 99840 ----a-w- c:\windows\system32\sspicli.dll
2011-11-17 05:39 . 2012-01-13 07:27 15360 ----a-w- c:\windows\system32\sspisrv.dll
2011-11-17 05:39 . 2012-01-13 07:27 224768 ----a-w- c:\windows\system32\schannel.dll
2011-11-17 05:39 . 2012-01-13 07:27 22016 ----a-w- c:\windows\system32\secur32.dll
2011-11-17 05:38 . 2012-01-13 07:27 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2011-11-17 05:36 . 2012-01-13 07:27 22528 ----a-w- c:\windows\system32\lsass.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-03 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-07-28 9398888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]
"Brdefprn"="c:\program files\Brother\BRHL2150\Brdefprn.exe" [2009-07-08 45056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-20 6676808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA&inst=NwA3AC0AMwA4ADQANQA5ADkAMAAxADAALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQQArADEALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsAMQAzADEAOAAzAC0ARABEADkAMABGACsAMQAtAFMAVAA5ADAARgBBAFAAUAArADEALQBGADkAMABNADEAMgBEAFQAKwAxAC0AVABCAE4AKwAxAC0AVQA5ADUAKwAxAC0ARgBVAEkAKwAyAA&prod=90&ver=9.0.894" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2011-12-13 25728]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-08-27 16168]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-14 1343400]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2011-12-19 19600]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-01-17 491816]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-12-19 39640]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-03 176128]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1052472]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-11-24 4497704]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-11-24 113448]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-03 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-03 214016]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-07-15 101904]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\DRIVERS\WacomVTHid.sys [2009-07-09 13480]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dsncservice
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 11:04]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 11:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Fox\AppData\Roaming\Mozilla\Firefox\Profiles\e077tt52.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-LlJwTeDMeFPCEj.exe - c:\programdata\LlJwTeDMeFPCEj.exe
AddRemove-_{53A908D4-99C6-469B-BC13-F4189F260742} - c:\program files\Corel\Corel Painter Essentials 4\MSILauncher {53A908D4-99C6-469B-BC13-F4189F260742}
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.avgtdix]
"ImagePath"="\?"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1056450633-1399538485-2762710705-1000\Software\SecuROM\License information*]
"datasecu"=hex:e4,9e,dd,25,5b,3a,07,77,ec,9b,b7,83,fd,d9,c1,2d,cf,d0,e2,95,66,
67,d8,37,32,cb,44,68,2f,9b,7b,bc,06,71,38,d6,86,3b,ed,1d,8d,66,c8,23,41,ed,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(604)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(2144)
c:\windows\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\atieclxx.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2012-02-13 07:21:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-12 23:21
.
Pre-Run: 434,897,604,608 bytes free
Post-Run: 436,722,851,840 bytes free
.
- - End Of File - - EBBC33495F3E4405728362E1AE348164

Farbar Service Scanner Version: 12-02-2012
Ran by Fox (administrator) on 13-02-2012 at 18:47:50
Running from "C:\Users\Fox\Desktop"
Microsoft Windows 7 Ultimate (X86)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
The start type of Nsi service is OK.
The ImagePath of Nsi service is OK.
The ServiceDll of Nsi service is OK.

nsiproxy Service is not running. Checking service configuration:
The start type of nsiproxy service is OK.
The ImagePath of nsiproxy service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-13 07:15] - [2011-04-25 11:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 12:17] - [2011-09-29 23:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-15 16:34] - [2011-03-03 13:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-14 07:53] - [2009-07-14 09:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-14 07:54] - [2009-07-14 09:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-14 07:23] - [2009-07-14 09:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-14 07:24] - [2009-07-14 09:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2011-02-09 16:18] - [2010-12-21 13:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-14 08:15] - [2009-07-14 09:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-14 07:30] - [2009-07-14 09:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:06 AM

Posted 13 February 2012 - 01:12 PM

bilgerat,

:step1: Please open notepad and copy/paste the text in the quotebox below into it:

DirLook::
c:\windows\system32\%APPDATA%
c:\users\Fox\AppData\Local\1d763032

SecCenter::
{5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
{E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If asked to update Combofix, please do so.

When finished, it shall produce a log for you. Post that log in your next reply.

:step2: We need to run an OTL Custom Fix.

  • Please download OTL from the following mirror and save it to your desktop:

    This is THE Mirror
  • Double click on the Posted Image icon on your desktop.
  • Copy and Paste all of the following code into the Posted Image textbox.
    netsvcs
  • Push the NONE button.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 bilgerat

bilgerat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 15 February 2012 - 10:04 AM

Hi Jason, thanks for the help. ComboFix ran ok in standard mode but I had to run otl in safe mode. Also otl only generated an otl.txt log there was no extra.txt log. I am confident I exactly followed your instructions.

ComboFix 12-02-11.03 - Fox 15/02/2012 22:40:44.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.2046.1358 [GMT 8:00]
Running from: c:\users\Fox\Desktop\ComboFix.exe
Command switches used :: D:\CFScript.txt
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
.
.
2012-02-15 14:44 . 2012-02-15 14:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-12 23:15 . 2012-02-15 14:44 -------- d-----w- c:\users\Fox\AppData\Local\temp
2012-02-12 23:15 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-05 07:46 . 2012-02-05 07:46 -------- d-----w- c:\users\Simon.Fox-PC
2012-01-26 06:01 . 2012-01-26 06:01 -------- d-----w- C:\VritualRoot
2012-01-26 05:36 . 2012-01-26 06:23 -------- d-----w- c:\users\Fox\AppData\Local\COMODO
2012-01-26 05:36 . 2012-01-26 05:36 -------- d-----w- c:\programdata\CPA_VA
2012-01-26 04:27 . 2012-02-05 08:27 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-01-26 04:26 . 2012-01-26 04:27 -------- d-----w- c:\programdata\Comodo
2012-01-26 04:26 . 2012-01-26 04:26 -------- d-----w- c:\program files\Comodo
2012-01-26 04:26 . 2012-01-26 04:26 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-01-23 13:35 . 2012-01-23 13:35 -------- d-----w- c:\users\Fox\AppData\Roaming\Malwarebytes
2012-01-23 13:34 . 2012-01-23 13:34 -------- d-----w- c:\programdata\Malwarebytes
2012-01-23 13:34 . 2012-01-23 13:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-23 13:34 . 2011-12-10 07:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-17 02:13 . 2012-01-17 02:13 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-01-17 02:02 . 2012-01-17 12:39 -------- d-sh--w- c:\users\Fox\AppData\Local\1d763032
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-13 15:23 . 2009-06-10 19:19 25728 ----a-w- c:\windows\system32\drivers\androidusb.sys
2011-12-13 15:23 . 2009-06-10 19:19 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2011-11-24 04:23 . 2011-12-14 01:53 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:06 . 2012-01-11 01:25 67072 ----a-w- c:\windows\system32\packager.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-03 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-07-28 9398888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]
"Brdefprn"="c:\program files\Brother\BRHL2150\Brdefprn.exe" [2009-07-08 45056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-20 6676808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA&inst=NwA3AC0AMwA4ADQANQA5ADkAMAAxADAALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQQArADEALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsAMQAzADEAOAAzAC0ARABEADkAMABGACsAMQAtAFMAVAA5ADAARgBBAFAAUAArADEALQBGADkAMABNADEAMgBEAFQAKwAxAC0AVABCAE4AKwAxAC0AVQA5ADUAKwAxAC0ARgBVAEkAKwAyAA&prod=90&ver=9.0.894" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2011-12-13 25728]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-08-27 16168]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-14 1343400]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2011-12-19 19600]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-01-17 491816]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-12-19 39640]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-03 176128]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1052472]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-11-24 4497704]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-11-24 113448]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-03 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-03 214016]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-07-15 101904]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\DRIVERS\WacomVTHid.sys [2009-07-09 13480]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dsncservice
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 11:04]
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 11:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Fox\AppData\Roaming\Mozilla\Firefox\Profiles\e077tt52.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.avgtdix]
"ImagePath"="\?"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1056450633-1399538485-2762710705-1000\Software\SecuROM\License information*]
"datasecu"=hex:e4,9e,dd,25,5b,3a,07,77,ec,9b,b7,83,fd,d9,c1,2d,cf,d0,e2,95,66,
67,d8,37,32,cb,44,68,2f,9b,7b,bc,06,71,38,d6,86,3b,ed,1d,8d,66,c8,23,41,ed,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(560)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(604)
c:\windows\system32\guard32.dll
.
Completion time: 2012-02-15 22:46:07
ComboFix-quarantined-files.txt 2012-02-15 14:46
ComboFix2.txt 2012-02-12 23:21
.
Pre-Run: 432,640,282,624 bytes free
Post-Run: 432,580,800,512 bytes free
.
- - End Of File - - 754982666F4F5E591528D6FFA57CC63B

OTL logfile created on: 15/02/2012 10:51:33 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Fox\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 68.50% Memory free
4.00 Gb Paging File | 3.38 Gb Available in Paging File | 84.54% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.66 Gb Total Space | 402.96 Gb Free Space | 86.53% Space Free | Partition Type: NTFS
Drive D: | 0.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: FOX-PC | User Name: Fox | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: dsncservice - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

< End of report >

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:06 AM

Posted 15 February 2012 - 01:48 PM

How's your computer running now? Please be as descriptive as possible. :)
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 bilgerat

bilgerat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 19 February 2012 - 04:17 AM

How's your computer running now? Please be as descriptive as possible. :)

I have given it a couple of days and everything seems to be functioning fine. Thanks very much for your assistance. I have cleaned up trojans before but this one was a lot more difficult so your help was very much appreciated.

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:06 AM

Posted 19 February 2012 - 04:03 PM

bilgerat,

:step1: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u2-windows-i586.exe (or jre-7u2-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

:step2: Like Java, outdated versions of Adobe Flash have vulnerabilities that malware can use to reinfect your computer. Please update to the latest, secure versions of each:

:step3: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:06 AM

Posted 22 February 2012 - 07:14 PM

bilgerat,

It has been several days since my last post. Do you still need help?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,428 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 AM

Posted 25 February 2012 - 01:31 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users