Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unhappili Hosed


  • This topic is locked This topic is locked
105 replies to this topic

#1 mopardude426

mopardude426

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 15 April 2012 - 07:59 PM

Greetings, and many thanks first and foremost to those that take up the task to help us less fortunate souls.
I have been dealing with a redirect virus that appears to have started sometime between last sunday thru wednesday. I have Avast ALWAYS running, as well as MBAM, windows firewall. I am running Windows XP Home SP3.
Google constantly redirecting when searched in. When virus scan initially ran, found some things and removed them. Then internet access was lost. With the assist of a gentleman on the forum named Broni, we got that back. I am still getting redirects, messages that MALISIOUS URL's blocked even when NOT on the internet and IE is not open.
Additionally, I am running a small e-store, and am concerned with not being able to contact my clients due to scare of possible infection or theft of personal information.
Here is the link to my original "AM I INFECTED" forum posts:http://www.bleepingcomputer.com/forums/topic449559.html

I have run the info scans already directed to me by Broni, but he now suggests STRONGER help is required. Ive run DDS,
Here is the Required scan info:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by susan at 17:38:31 on 2012-04-14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1588 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Acronis\DiskDirector\OSS\reinstall_svc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [SAOB Monitor] c:\program files\acronis\onlinebackupstandalone\TrueImageMonitor.exe
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [dplaysvr] %APPDATA%\dplaysvr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{98E4BE64-06FB-4117-9916-CB4A61F3B61E} : NameServer = 75.75.75.75,75.75.76.76
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 94.63.147.16 www.google.com
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\susan\application data\mozilla\firefox\profiles\6abtbijb.default\
FF - prefs.js: browser.search.selectedEngine - Xfinity
FF - prefs.js: browser.startup.homepage - hxxp://www.xfinity.com/?cid=insDate01302012
FF - component: c:\documents and settings\susan\application data\mozilla\firefox\profiles\6abtbijb.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\susan\application data\mozilla\firefox\profiles\6abtbijb.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\alwil software\avast5\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2010-11-7 752128]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-8 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-4-8 337880]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-11-7 3975088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-4-8 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2012-4-8 44768]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2011-12-18 66560]
R2 OS Selector;Acronis OS Selector activator;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-5-25 2139400]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2011-11-30 598856]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-11-7 163232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 253600]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-13 01:44:30 -------- d-----w- c:\documents and settings\susan\local settings\application data\ApplicationHistory
2012-04-10 00:58:56 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-09 02:36:10 -------- d-----w- c:\documents and settings\susan\application data\Malwarebytes
2012-04-09 02:36:02 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-09 02:36:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-09 01:02:32 -------- d-----w- c:\documents and settings\susan\application data\SUPERAntiSpyware.com
2012-04-09 01:01:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-09 01:01:11 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-04-09 00:47:28 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-04-09 00:47:09 41184 ----a-w- c:\windows\avastSS.scr
2012-04-01 16:06:02 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-15 23:43:13 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-03-15 23:43:13 215920 ----a-w- c:\windows\system32\muweb.dll
2012-03-15 23:43:13 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
.
==================== Find3M ====================
.
2012-04-01 16:22:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A3E449F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a3eb740]; MOV EAX, [0x8a3eb8b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A676AB8]
3 CLASSPNP[0xF7647FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000060[0x8A66DF18]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A679940]
\Driver\atapi[0x8A474F38] -> IRP_MJ_CREATE -> 0x8A3E449F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A3E42C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:39:55.81 ===============


Additionally, I ran the GMER. The attachment text is ATTACHED

During the GMER scan, BSOD and reboot occured. I tried a SECOND time, with the same results.

Where do I go from here? I appreciate any and all assistance recieved. I just want to save my computer, and my business.

LG

Attached Files



BC AdBot (Login to Remove)

 


#2 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 15 April 2012 - 08:23 PM

Tonight I also ran Microsoft Safety Scan. It found ONE possible. Comes up as: SettingsModifier:Win32/PossibleHostsFileHijack C:\WINDOWS\system32\drivers\etc\hosts.

Dont know if this is relevant, but it may be. Also Avast picked up a couple of .exe temp files in the autosandbox.

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:13 PM

Posted 15 April 2012 - 10:08 PM

Greetings mopardude426 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Please allow me some time to review the information you have provided. I will post back as soon as possible.

Edited by Oh My, 15 April 2012 - 11:17 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:13 PM

Posted 16 April 2012 - 07:28 AM

Greetings mopardude426,


Thank you for allowing me to review the information you posted. Yes, your computer is infected and I must first advise you of the following.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections [ZeroAccess] is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


ComboFix

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.

Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image



Click on Yes, to continue scanning for malware.

Please Note: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If ComboFix has stopped running please stop and advise me.

  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ComboFix.txt
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 09:47 AM

Thank you, will start on this ASAP when I get in from work, this evening. I shall post the logs tomorrow am from work. Additionally, how do I save all my data, in the event a reformat is necessary? I do not have my program discs.

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:13 PM

Posted 16 April 2012 - 10:57 AM

Greetings mopardude426,

Thank you for your quick response. It is best to save your data after your computer has been cleaned, if at all possible. As Broni explained previously, you can back up your data but you can't back up programs. Those have to be reinstalled.

Let's see how these first steps go then we can reevaluate. I think ComboFix will help us out quite a bit.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 11:24 AM

Thank you very much, appreciate it immensely

#8 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 07:36 PM

Ok, started ComboFix. Couldn't connect to the internet to get the Microsoft Windows Recovery Console. ComboFix confirmed Rootkit.ZeroAccess infection.
Continuing with scan.

#9 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 08:12 PM

Scan complete. Should I attempt internet connection with firewalls and AntiVirus programs running?

#10 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 08:29 PM

The ComboFix log is attached.

I am still getting AntiVirus and Malware alerts in both Avast and MBAM. In Avast, they reference the process C:\WINDOWS\System32\svchost.exe.

http://locatefindsearch.com
forwardbiz.com
Thesee were some of the sites caught trying to access OUT or IN

Attached Files



#11 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 08:35 PM

System is still throwing up Malicious URL warnings, even with the web browser closed and the internet connection off.

#12 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 09:01 PM

Avast running, picked up "faabccbeacdct.exe.vir" located in C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data.
Says its a Win32:Rootkit-gen [Rtk]

#13 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 09:07 PM

And with MBAM running a full scan, Avast also picked up A0089707.exe, located in C:\System Volume Information\_restore{DD3F6EFC-FAC7-4E42-936F-C362B86BF288}\RP458.
Says another Rootkit

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,992 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:13 PM

Posted 16 April 2012 - 09:26 PM

Greetings mopardude426,

Please copy and paste the Combofix information in a reply rather than send it as an attachment (as was requested in the post). That makes it much easier for me to assist you in a timely fashion.

Please do not do anything unless instructed to do so. I realize how tempting it is to try to get ahead a bit but in doing so you might actually make things a lot worse, up to and including an unbootable computer. Please be patient and do not run any other programs, like Malwarebytes. We need to be very careful and deliberate in what steps we take and when we take them.

As soon as you post the ComboFix results I will review it.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 mopardude426

mopardude426
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 April 2012 - 10:09 PM

I do apologize, I thought I had pasted it to the correct area.
The scans ran automaticaly on startup.

Here is the Log:

ComboFix 12-04-16.02 - susan 04/16/2012 20:45:15.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1675 [GMT -4:00]
Running from: c:\documents and settings\susan\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\faabccbeacdct.exe
c:\documents and settings\NetworkService\Application Data\Microsoft\Microsoft
c:\documents and settings\susan\Application Data\PriceGong
c:\documents and settings\susan\Application Data\PriceGong\Data\1.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\a.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\b.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\c.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\d.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\e.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\f.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\g.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\h.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\i.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\J.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\k.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\l.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\m.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\n.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\o.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\p.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\q.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\r.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\s.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\t.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\u.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\v.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\w.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\x.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\y.xml
c:\documents and settings\susan\Application Data\PriceGong\Data\z.xml
c:\windows\$NtUninstallKB27974$
c:\windows\$NtUninstallKB27974$\2969776243
c:\windows\$NtUninstallKB27974$\3850537156\@
c:\windows\$NtUninstallKB27974$\3850537156\cfg.ini
c:\windows\$NtUninstallKB27974$\3850537156\Desktop.ini
c:\windows\$NtUninstallKB27974$\3850537156\L\iyaesune
c:\windows\$NtUninstallKB27974$\3850537156\U\00000001.@
c:\windows\$NtUninstallKB27974$\3850537156\U\00000002.@
c:\windows\$NtUninstallKB27974$\3850537156\U\00000004.@
c:\windows\$NtUninstallKB27974$\3850537156\U\80000000.@
c:\windows\$NtUninstallKB27974$\3850537156\U\80000004.@
c:\windows\$NtUninstallKB27974$\3850537156\U\80000032.@
c:\windows\$NtUninstallKB27974$\3850537156\version
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
.
.
2012-04-13 01:44 . 2012-04-13 01:44 -------- d-----w- c:\documents and settings\susan\Local Settings\Application Data\ApplicationHistory
2012-04-10 00:02 . 2012-04-10 00:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-04-09 02:39 . 2012-04-09 02:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-04-09 02:36 . 2012-04-09 02:36 -------- d-----w- c:\documents and settings\susan\Application Data\Malwarebytes
2012-04-09 02:36 . 2012-04-09 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-09 02:36 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-09 01:02 . 2012-04-09 01:02 -------- d-----w- c:\documents and settings\susan\Application Data\SUPERAntiSpyware.com
2012-04-09 01:01 . 2012-04-09 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-09 01:01 . 2012-04-09 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-09 00:47 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-04-09 00:47 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-04-09 00:20 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-04-09 00:20 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-04-09 00:20 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-04-09 00:20 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-04-09 00:20 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-04-09 00:20 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-04-09 00:20 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-04-09 00:19 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-04-01 16:06 . 2012-04-16 00:22 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-16 00:22 . 2011-05-17 23:16 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-05-09 09:49 176936 ----a-w- c:\program files\BitTorrentBar\prxtbBit2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBit2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"WinSys2"="c:\windows\system32\winsys2.exe" [2008-01-18 208896]
"SAOB Monitor"="c:\program files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe" [2010-09-02 2536440]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-09-08 5479424]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-09-08 390736]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [11/7/2010 7:37 PM 752128]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/8/2012 8:47 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/8/2012 8:20 PM 337880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [11/7/2010 7:37 PM 3975088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/8/2012 8:20 PM 20696]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [12/18/2011 12:49 PM 66560]
R2 OS Selector;Acronis OS Selector activator;c:\program files\Acronis\DiskDirector\OSS\reinstall_svc.exe [5/25/2010 7:53 PM 2139400]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [11/30/2011 11:56 PM 598856]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [11/7/2010 7:37 PM 163232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/1/2012 12:06 PM 253088]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SE26obex
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 00:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: intuit.com\ttlc
TCP: Interfaces\{98E4BE64-06FB-4117-9916-CB4A61F3B61E}: NameServer = 75.75.75.75,75.75.76.76
FF - ProfilePath - c:\documents and settings\susan\Application Data\Mozilla\Firefox\Profiles\6abtbijb.default\
FF - prefs.js: browser.search.selectedEngine - Xfinity
FF - prefs.js: browser.startup.homepage - hxxp://www.xfinity.com/?cid=insDate01302012
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\Alwil Software\Avast5\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-faabccbeacdct - c:\documents and settings\All Users\Application Data\faabccbeacdct.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\susan\Application Data\dplaysvr.exe
HKU-Default-Run-faabccbeacdct - c:\documents and settings\All Users\Application Data\faabccbeacdct.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-16 20:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A3282C6
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-527237240-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2384)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-04-16 21:04:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-17 01:04
.
Pre-Run: 211,615,215,616 bytes free
Post-Run: 211,669,757,952 bytes free
.
- - End Of File - - BBA2083245A2E16D03451D51FEC3AEAC

Please note that the windows recovery console was unable to download/install.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users