Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

From No Internet after Sirefef Removal


  • This topic is locked This topic is locked
1 reply to this topic

#1 propflux01

propflux01

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 09 March 2012 - 03:26 PM

Per boopme:
Hello having run ComboFix we need to see that and a DDS log.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the GMER step and instead post the ComboFix log you have.

Let me know if that went well.

DDS LOG:
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by UCA at 13:49:43 on 2012-03-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2003.1496 [GMT -6:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\nldrv\003\stacsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248974521286
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://hyvee.lifepics.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7CA9ED1E-2682-4ABA-ABAA-516961044E8B} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\uca\application data\mozilla\firefox\profiles\8198hsba.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\uca\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\uca\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\uca\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\uca\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\uca\application data\Move Networks
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-6 165648]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-3-7 21992]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-7-30 112512]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-30 109568]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-9-13 91456]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-9-13 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-9-13 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-9-13 42752]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-9-13 9472]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-2-7 18432]
.
=============== Created Last 30 ================
.
2012-03-09 16:20:54 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-03-09 16:20:03 -------- d-----w- C:\Intel
2012-03-09 16:15:16 -------- d-----w- c:\documents and settings\uca\local settings\application data\Deployment
2012-03-09 16:14:42 0 ----a-w- c:\windows\invcol.tmp
2012-03-09 16:10:02 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{204e7b4f-7395-4446-8e87-c81e6b80a9d1}\mpengine.dll
2012-03-09 15:35:39 -------- d-----w- C:\ERDNT
2012-03-09 15:14:04 388096 ----a-r- c:\documents and settings\uca\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-09 15:14:03 -------- d-----w- c:\program files\Trend Micro
2012-03-09 14:50:32 -------- d-----w- c:\program files\Perfect Uninstaller
2012-03-08 03:02:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-03-08 02:52:17 15890 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2012-03-08 02:51:08 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2012-03-08 02:31:30 835584 ----a-w- c:\windows\system32\BCMLogon.dll
2012-03-08 01:44:07 -------- d-----w- c:\documents and settings\uca\application data\BACS.exe
2012-03-08 01:30:28 -------- d-----w- c:\windows\Downloaded Installations
2012-03-07 23:54:37 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2012-03-07 23:54:37 -------- d-----w- c:\program files\CPUID
2012-03-07 04:41:29 -------- dc----w- c:\windows\ie8
2012-03-07 03:32:38 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-03-07 03:32:38 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-03-07 03:32:38 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-07 03:32:38 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-03-07 03:32:38 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-07 03:28:06 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-07 03:18:21 165648 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-07 03:16:32 98816 ----a-w- c:\windows\sed.exe
2012-03-07 03:16:32 518144 ----a-w- c:\windows\SWREG.exe
2012-03-07 03:16:32 256000 ----a-w- c:\windows\PEV.exe
2012-03-07 03:16:32 208896 ----a-w- c:\windows\MBR.exe
2012-03-07 03:13:25 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-03-07 03:13:25 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-03-07 03:13:17 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-03-07 03:13:17 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-28 03:59:26 -------- d-----w- c:\program files\Broadcom
2012-02-28 03:41:31 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-28 03:41:31 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-28 03:41:31 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
.
==================== Find3M ====================
.
2012-02-27 02:50:56 0 --s-a-w- c:\windows\system32\dds_trash_log.cmd
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 16:05:13 41680 ----a-w- c:\windows\system32\drivers\snlrzfcj.sys
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 13:50:34.87 ===============


COMBOFIX LOG:
ComboFix 12-03-09.05 - UCA 03/09/2012 14:16:22.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2003.1480 [GMT -6:00]
Running from: c:\documents and settings\UCA\Desktop\ComboFix.exe
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\UCA\Start Menu\Internet Explorer.lnk
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-03-09 20:14 . 2012-03-09 20:14 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{204E7B4F-7395-4446-8E87-C81E6B80A9D1}\MpKslcfc4b75a.sys
2012-03-09 20:13 . 2012-03-09 20:13 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{204E7B4F-7395-4446-8E87-C81E6B80A9D1}\offreg.dll
2012-03-09 19:59 . 2012-03-09 19:59 -------- d-----w- c:\documents and settings\UCA\Local Settings\Application Data\Zoom_Downloader
2012-03-09 16:20 . 2012-03-09 16:20 -------- d-----w- c:\program files\Intel
2012-03-09 16:20 . 2011-04-16 13:00 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-03-09 16:20 . 2012-03-09 16:20 -------- d-----w- C:\Intel
2012-03-09 16:15 . 2012-03-09 16:15 -------- d-----w- c:\documents and settings\UCA\Local Settings\Application Data\Deployment
2012-03-09 16:14 . 2012-03-09 16:14 0 ----a-w- c:\windows\invcol.tmp
2012-03-09 16:10 . 2012-02-08 06:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{204E7B4F-7395-4446-8E87-C81E6B80A9D1}\mpengine.dll
2012-03-09 15:35 . 2012-03-09 15:35 -------- d-----w- C:\ERDNT
2012-03-09 15:14 . 2012-03-09 15:14 388096 ----a-r- c:\documents and settings\UCA\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-09 15:14 . 2012-03-09 15:14 -------- d-----w- c:\program files\Trend Micro
2012-03-08 03:02 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-03-08 02:52 . 2009-03-21 13:18 15890 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2012-03-08 02:51 . 2009-07-08 21:55 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2012-03-08 02:31 . 2010-02-03 03:47 457 ----a-w- c:\windows\system32\vcredist_x86.bat
2012-03-08 01:44 . 2012-03-08 01:44 -------- d-----w- c:\documents and settings\UCA\Application Data\BACS.exe
2012-03-08 01:30 . 2012-03-08 01:30 -------- d-----w- c:\windows\Downloaded Installations
2012-03-07 23:54 . 2012-03-07 23:54 -------- d-----w- c:\program files\CPUID
2012-03-07 23:54 . 2010-11-09 21:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2012-03-07 04:41 . 2012-03-07 04:41 -------- dc----w- c:\windows\ie8
2012-03-07 03:32 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-03-07 03:32 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-07 03:32 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-07 03:32 . 2008-04-13 19:19 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-03-07 03:32 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-03-07 03:28 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-07 03:18 . 2011-04-18 18:18 165648 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-07 03:13 . 2008-04-14 06:45 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-03-07 03:13 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-03-07 03:13 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-03-07 03:13 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-28 03:59 . 2012-03-08 01:30 -------- d-----w- c:\program files\Broadcom
2012-02-28 03:41 . 2008-04-14 06:10 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2012-02-28 03:41 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-28 03:41 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2011-04-18 22:20 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-06 04:19 . 2011-04-19 22:52 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-15 16:05 . 2011-12-15 16:05 41680 ----a-w- c:\windows\system32\drivers\snlrzfcj.sys
2011-12-10 21:24 . 2011-04-18 19:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-30 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-30 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-30 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-30 134656]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-01-04 488816]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-07-31 1626112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-02-03 2670592]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
2009-07-30 16:27 729088 ----a-w- c:\windows\system32\aestfltr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 20:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 19:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Barnes & Noble\\NOOKstudy\\NOOKstudy.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8192:TCP"= 8192:TCP:Sophos RMS 8192
"8193:TCP"= 8193:TCP:Sophos RMS 8193
"8194:TCP"= 8194:TCP:Sophos RMS 8194
.
R1 MpKslcfc4b75a;MpKslcfc4b75a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{204E7B4F-7395-4446-8E87-C81E6B80A9D1}\MpKslcfc4b75a.sys [3/9/2012 2:14 PM 29904]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [3/7/2012 5:54 PM 21992]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/30/2009 10:27 AM 112512]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [7/30/2009 10:28 AM 109568]
S2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [9/13/2010 2:53 PM 91456]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [9/13/2010 2:51 PM 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [9/13/2010 2:51 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [9/13/2010 2:51 PM 42752]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [9/13/2010 2:51 PM 9472]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2/7/2011 5:02 PM 18432]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLCFC4B75A
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CTAUDFX.DLL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2012-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\UCA\Application Data\Mozilla\Firefox\Profiles\8198hsba.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\UCA\Application Data\Move Networks
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-09 14:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-09 14:20:58
ComboFix-quarantined-files.txt 2012-03-09 20:20
.
Pre-Run: 122,618,281,984 bytes free
Post-Run: 122,614,194,176 bytes free
.
- - End Of File - - 68B0638FFDDAB7C1B4F174069289B7FA
IX LOG:

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\13\16431a4d-65f709ff Java/Exploit.CVE-2011-3544.F trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\17\6e684651-1a0320f2 multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\17\6e684651-2675758d multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\18\60ff692-3bd492e6 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\20\4ef244d4-189fc09a multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\504e4dd6-5eefd6cb a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\38\4d809ea6-4da54456 multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\55\1290de77-6fc06fa1 Java/Exploit.CVE-2011-3544.F trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\56\408dfaf8-68d0e1ee a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\56\408dfaf8-7fd96a62 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\62\56f963be-523a774a multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\7\124509c7-7924312b a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\8\461f1108-5825bd13 Java/Exploit.CVE-2011-3544.AG trojan deleted - quarantined
C:\MGtools\Process.exe Win32/PrcView application cleaned by deleting - quarantined

Edited by boopme, 10 March 2012 - 10:47 AM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:58 AM

Posted 10 March 2012 - 03:48 PM

Good evening. :)

Can you post exactly what issues you are now having with the PC. Please give any file names that your security programs may be flagging as infected, if you have them, as well as the generic infection names.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users