Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zlob Trojan.


  • This topic is locked This topic is locked
13 replies to this topic

#1 UltraSquare

UltraSquare

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 21 August 2012 - 12:19 PM

I let a friend borrow my computer for awhile and I believe it came back infected. I noticed that bitorrent is on there and that there were torrented programs downloaded. I would like to remove these programs and have my computer checked for infections it may have.


I am suspicious of zlob in particular because in OS(C:) there are extra Doll folders with random letters and numbers next to their name. Not sure if thats normal or not, but in the folder Doll2158D there is a file named Zlob01 that is 0 bytes in size.

All I can find on this file in google is that it is most likely the zlob trojan.

Our internet *everybody in the house is effected by this* has also started turning on and off randomly throughout the course of the day about 2 weeks back.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 10.5.1
Run by Richard at 12:48:59 on 2012-08-21
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3573.1810

[GMT -7:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\DllHost.exe
C:\Users\Richard\Desktop\0ddmwqdc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-

4B1AB0B682EE}&mid=044cb4d0f52a47d09cacd168dd359f17-

a317e041b5d650db48ace064b9f3a4ad4b94dd01&lang=en&ds=gm011&pr=sa&d=2012-07-27

21:16:46&v=12.1.0.21&sap=hp
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} -

c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program

files\norton 360\engine\5.2.2.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} -

c:\program files\norton 360\engine\5.2.2.3\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program

files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} -

c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - Bing Bar BHO
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -

c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program

files\norton 360\engine\5.2.2.3\coIEPlg.dll
TB: @c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll,-100:

{8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update]

"c:\users\richard\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major

Audio\WDM\sttray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software

update\HPWuSchd2.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search

enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java

update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1

\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth

software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth

software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth

software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program

files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-

F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-

96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{77335FD1-AF84-42D4-AD62-3203AD84614B} : DhcpNameServer =

192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} -

c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003

\symds.sys [2012-6-11 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360

\0502020.003\symefa.sys [2012-6-11 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-

85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120811.003\BHDrvx86.sys

[2012-8-10 995488]
R1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32

\drivers\hssdrv6.sys [2012-6-1 35080]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-

85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120818.001\IDSvix86.sys

[2012-8-20 382624]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003

\ironx86.sys [2012-6-11 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32

\drivers\n360\0502020.003\symtdiv.sys [2012-6-11 331384]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common

files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe

[2011-12-8 73728]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.2.2.3\ccsvchst.exe

[2012-6-11 130008]
R2 WCMVCAM;WebcamMax, WDM Video Capture;c:\windows\system32

\drivers\wcmvcam.sys [2011-6-22 1068216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common

files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-9 106656]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI

Service;c:\windows\system32\drivers\IntcHdmi.sys [2011-12-8 111104]
S2 gupdate;Google Update Service (gupdate);c:\program

files\google\update\GoogleUpdate.exe [2012-3-2 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program

files\google\update\GoogleUpdate.exe [2012-3-2 136176]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys

[2012-1-10 32000]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32

\drivers\mcaudrv.sys [2012-2-22 22400]
.
=============== Created Last 30 ================
.
2012-08-21 19:47:39 7023536 ----a-w-

c:\programdata\microsoft\windows defender\definition updates\{8cbe21ea-7d12-

4396-b825-1c5e90b24739}\mpengine.dll
2012-08-20 21:34:19 -------- d-----w-

c:\users\richard\appdata\roaming\SuperAdBlocker.com
2012-08-20 21:34:07 -------- d-----w- c:\windows\system32

\URTTemp
2012-08-20 21:34:07 -------- d-----w- c:\program

files\SuperAdBlocker.com
2012-08-05 05:53:37 -------- d-----w-

c:\users\richard\appdata\roaming\ExpressFiles
2012-08-03 01:18:57 -------- d-----w-

c:\users\richard\appdata\roaming\Intel
2012-08-01 08:04:16 -------- d-----w- c:\program

files\Caminova
2012-07-26 23:11:08 -------- d-----w-

c:\users\richard\appdata\roaming\BitTorrent
2012-07-23 00:50:08 -------- d-----w- c:\program files\Jnes
.
==================== Find3M ====================
.
2012-07-01 21:36:24 418192654 ----a-w-

c:\windows\DUMP2cf8.tmp
2012-07-01 02:46:15 2 --shatr- c:\windows\winstart.bat
2012-06-23 04:03:55 477240 ----a-w- c:\windows\system32

\drivers\sptd.sys
2012-06-07 03:59:42 1070152 ----a-w- c:\windows\system32

\MSCOMCTL.OCX
2012-06-01 21:15:16 35080 ----a-w- c:\windows\system32

\drivers\hssdrv6.sys
2012-05-31 19:25:14 237072 ------w- c:\windows\system32

\MpSigStub.exe
.
============= FINISH: 12:56:47.57 ===============

Attached Files

  • Attached File  jk.txt   9.48KB   1 downloads

Edited by UltraSquare, 21 August 2012 - 12:21 PM.


BC AdBot (Login to Remove)

 


#2 UltraSquare

UltraSquare
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 22 August 2012 - 11:40 AM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-22 12:40:35
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 WDC_WD1200BEVS-75UST0 rev.01.01A01
Running: 2o9lyirf.exe; Driver: C:\Users\Richard\AppData\Local\Temp\ufddqfow.sys


---- System - GMER 1.0.15 ----

SSDT 889F8248 ZwAlertResumeThread
SSDT 8A88D140 ZwAlertThread
SSDT 88A6E488 ZwAllocateVirtualMemory
SSDT 8A6CA7D8 ZwAlpcConnectPort
SSDT 8B567078 ZwAssignProcessToJobObject
SSDT 8A6F78F8 ZwCreateMutant
SSDT 88990100 ZwCreateSymbolicLinkObject
SSDT 88A07608 ZwCreateThread
SSDT 8B464278 ZwDebugActiveProcess
SSDT 88A81048 ZwDuplicateObject
SSDT 88A4BE00 ZwFreeVirtualMemory
SSDT 88A5E188 ZwImpersonateAnonymousToken
SSDT 88A35190 ZwImpersonateThread
SSDT 8A6CA708 ZwLoadDriver
SSDT 88992C98 ZwMapViewOfSection
SSDT 88A4A1F8 ZwOpenEvent
SSDT 8A6B24F8 ZwOpenProcess
SSDT 8A7732D8 ZwOpenProcessToken
SSDT 88AED008 ZwOpenSection
SSDT 88A8C588 ZwOpenThread
SSDT 88973038 ZwProtectVirtualMemory
SSDT 88B0C008 ZwResumeThread
SSDT 8A6FA1D8 ZwSetContextThread
SSDT 88A30228 ZwSetInformationProcess
SSDT 8A965C68 ZwSetSystemInformation
SSDT 8B382338 ZwSuspendProcess
SSDT 8A74E478 ZwSuspendThread
SSDT 8A5B4AF0 ZwTerminateProcess
SSDT 8A751920 ZwTerminateThread
SSDT 8A74B530 ZwUnmapViewOfSection
SSDT 88A6A008 ZwWriteVirtualMemory
SSDT 88A1A548 ZwCreateThreadEx

---- User code sections - GMER 1.0.15 ----

.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtCreateFile + 6 770AF41A 4 Bytes [28, 00, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtCreateFile + B 770AF41F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtMapViewOfSection + 6 770AFB6A 1 Byte [28]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtMapViewOfSection + 6 770AFB6A 4 Bytes [28, 03, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtMapViewOfSection + B 770AFB6F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenFile + 6 770AFBFA 4 Bytes [68, 00, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenFile + B 770AFBFF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenProcess + 6 770AFC7A 4 Bytes [A8, 01, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenProcess + B 770AFC7F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenProcessToken + B 770AFC8F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenProcessTokenEx + 6 770AFC9A 4 Bytes [A8, 02, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenProcessTokenEx + B 770AFC9F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenThread + 6 770AFCEA 4 Bytes [68, 01, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenThread + B 770AFCEF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenThreadToken + 6 770AFCFA 4 Bytes [68, 02, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenThreadToken + B 770AFCFF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtOpenThreadTokenEx + B 770AFD0F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtQueryAttributesFile + 6 770AFD9A 4 Bytes [A8, 00, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtQueryAttributesFile + B 770AFD9F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtQueryFullAttributesFile + B 770AFE4F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtSetInformationFile + 6 770B036A 4 Bytes [28, 01, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtSetInformationFile + B 770B036F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtSetInformationThread + 6 770B03BA 4 Bytes [28, 02, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtSetInformationThread + B 770B03BF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtUnmapViewOfSection + 6 770B065A 1 Byte [68]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtUnmapViewOfSection + 6 770B065A 4 Bytes [68, 03, 16, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2512] ntdll.dll!NtUnmapViewOfSection + B 770B065F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtCreateFile + 6 770AF41A 4 Bytes [28, 00, 31, 00] {SUB [EAX], AL; XOR [EAX], EAX}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtCreateFile + B 770AF41F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtMapViewOfSection + 6 770AFB6A 1 Byte [28]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtMapViewOfSection + 6 770AFB6A 4 Bytes [28, 03, 31, 00] {SUB [EBX], AL; XOR [EAX], EAX}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtMapViewOfSection + B 770AFB6F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenFile + 6 770AFBFA 4 Bytes [68, 00, 31, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenFile + B 770AFBFF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenProcess + 6 770AFC7A 4 Bytes [A8, 01, 31, 00] {TEST AL, 0x1; XOR [EAX], EAX}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenProcess + B 770AFC7F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenProcessToken + B 770AFC8F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenProcessTokenEx + 6 770AFC9A 4 Bytes [A8, 02, 31, 00] {TEST AL, 0x2; XOR [EAX], EAX}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenProcessTokenEx + B 770AFC9F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenThread + 6 770AFCEA 4 Bytes [68, 01, 31, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenThread + B 770AFCEF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenThreadToken + 6 770AFCFA 4 Bytes [68, 02, 31, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenThreadToken + B 770AFCFF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtOpenThreadTokenEx + B 770AFD0F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtQueryAttributesFile + 6 770AFD9A 4 Bytes [A8, 00, 31, 00] {TEST AL, 0x0; XOR [EAX], EAX}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtQueryAttributesFile + B 770AFD9F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtQueryFullAttributesFile + B 770AFE4F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtSetInformationFile + 6 770B036A 4 Bytes [28, 01, 31, 00] {SUB [ECX], AL; XOR [EAX], EAX}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtSetInformationFile + B 770B036F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtSetInformationThread + 6 770B03BA 4 Bytes [28, 02, 31, 00] {SUB [EDX], AL; XOR [EAX], EAX}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtSetInformationThread + B 770B03BF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtUnmapViewOfSection + 6 770B065A 1 Byte [68]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtUnmapViewOfSection + 6 770B065A 4 Bytes [68, 03, 31, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2840] ntdll.dll!NtUnmapViewOfSection + B 770B065F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + 6 770AF41A 4 Bytes [28, 00, 2B, 00] {SUB [EAX], AL; SUB EAX, [EAX]}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + B 770AF41F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + 6 770AFB6A 1 Byte [28]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + 6 770AFB6A 4 Bytes [28, 03, 2B, 00] {SUB [EBX], AL; SUB EAX, [EAX]}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + B 770AFB6F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + 6 770AFBFA 4 Bytes [68, 00, 2B, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + B 770AFBFF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + 6 770AFC7A 4 Bytes [A8, 01, 2B, 00] {TEST AL, 0x1; SUB EAX, [EAX]}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + B 770AFC7F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + B 770AFC8F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + 6 770AFC9A 4 Bytes [A8, 02, 2B, 00] {TEST AL, 0x2; SUB EAX, [EAX]}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + B 770AFC9F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + 6 770AFCEA 4 Bytes [68, 01, 2B, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + B 770AFCEF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + 6 770AFCFA 4 Bytes [68, 02, 2B, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + B 770AFCFF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + B 770AFD0F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + 6 770AFD9A 4 Bytes [A8, 00, 2B, 00] {TEST AL, 0x0; SUB EAX, [EAX]}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + B 770AFD9F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + B 770AFE4F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + 6 770B036A 4 Bytes [28, 01, 2B, 00] {SUB [ECX], AL; SUB EAX, [EAX]}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + B 770B036F 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + 6 770B03BA 4 Bytes [28, 02, 2B, 00] {SUB [EDX], AL; SUB EAX, [EAX]}
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + B 770B03BF 1 Byte [E2]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + 6 770B065A 1 Byte [68]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + 6 770B065A 4 Bytes [68, 03, 2B, 00]
.text C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + B 770B065F 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3ae3ad9f
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9F 0xCF 0x5D 0x41 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f3ae3ad9f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9F 0xCF 0x5D 0x41 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@ScheduledInstallDate 2012-08-22 10:00:00
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install@LastSuccessTime 2012-08-21 19:47:48
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install@LastError 0
Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0bc3b099

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS01EE3.log 131072 bytes

---- EOF - GMER 1.0.15 ----

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:05 PM

Posted 26 August 2012 - 07:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

If you did not install this probram and do not know what it is Open your Task Manager (CTRL+ALT+DEL) AND STOP this process in bold.

C:\Users\Richard\Desktop\0ddmwqdc.exe

Delete the .exe file.

Restart the computer normally.
===

Remove the WordWrap function from NotePad.
You will find this under the Format Menu.
This will eliminate all the blank lines in your log and make is possible for me to analyse your log.

Run the DDS tool and post a fresh logs. The extra empty lines should be eliminated making it easier to evalutate your log.
===


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

Recently the Microsoft link is down. Ignore and continue running the tool.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please post the logs for my review.

#4 UltraSquare

UltraSquare
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 26 August 2012 - 11:32 PM

Pleased to meet you nasdaq. 0ddmwqdc.exe is not showing up in task manager and I cannot find it when file searching for it on my computer.

Here are the dds logs and combofix will be run shortly.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 10.5.1
Run by Richard at 0:22:30 on 2012-08-27
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3573.2364 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-4B1AB0B682EE}&mid=044cb4d0f52a47d09cacd168dd359f17-a317e041b5d650db48ace064b9f3a4ad4b94dd01&lang=en&ds=gm011&pr=sa&d=2012-07-27 21:16:46&v=12.1.0.21&sap=hp
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.2.2.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.2.2.3\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - Bing Bar BHO
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.2.2.3\coIEPlg.dll
TB: @c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\richard\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{77335FD1-AF84-42D4-AD62-3203AD84614B} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-6-11 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-6-11 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120811.003\BHDrvx86.sys [2012-8-10 995488]
R1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\drivers\hssdrv6.sys [2012-6-1 35080]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120824.001\IDSvix86.sys [2012-8-24 386208]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-6-11 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502020.003\symtdiv.sys [2012-6-11 331384]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2011-12-8 73728]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.2.2.3\ccsvchst.exe [2012-6-11 130008]
R2 WCMVCAM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\wcmvcam.sys [2011-6-22 1068216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-9 106656]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2011-12-8 111104]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-2 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-2 136176]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2012-1-10 32000]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-2-22 22400]
.
=============== Created Last 30 ================
.
2012-08-24 20:01:28 7023536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{393f679c-b960-4723-b4bb-b22f193ee78c}\mpengine.dll
2012-08-20 21:34:19 -------- d-----w- c:\users\richard\appdata\roaming\SuperAdBlocker.com
2012-08-20 21:34:07 -------- d-----w- c:\windows\system32\URTTemp
2012-08-20 21:34:07 -------- d-----w- c:\program files\SuperAdBlocker.com
2012-08-05 05:53:37 -------- d-----w- c:\users\richard\appdata\roaming\ExpressFiles
2012-08-03 01:18:57 -------- d-----w- c:\users\richard\appdata\roaming\Intel
2012-08-01 08:04:16 -------- d-----w- c:\program files\Caminova
.
==================== Find3M ====================
.
2012-07-01 21:36:24 418192654 ----a-w- c:\windows\DUMP2cf8.tmp
2012-07-01 02:46:15 2 --shatr- c:\windows\winstart.bat
2012-06-23 04:03:55 477240 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-06-07 03:59:42 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-01 21:15:16 35080 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2012-05-31 19:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 0:22:51.87 ===============

Attached Files



#5 UltraSquare

UltraSquare
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 26 August 2012 - 11:49 PM

ComboFix 12-08-25.04 - Richard 08/27/2012 0:36.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3573.2309 [GMT -7:00]
Running from: c:\users\Richard\Desktop\FalconPunch.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\msvcr71.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))
.
.
2012-08-27 07:46 . 2012-08-27 07:46 -------- d-----w- c:\users\Richard\AppData\Local\temp
2012-08-27 07:46 . 2012-08-27 07:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-27 07:46 . 2012-08-27 07:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-24 20:01 . 2012-08-01 22:51 7023536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{393F679C-B960-4723-B4BB-B22F193EE78C}\mpengine.dll
2012-08-20 21:34 . 2012-08-20 21:34 -------- d-----w- c:\users\Richard\AppData\Roaming\SuperAdBlocker.com
2012-08-20 21:34 . 2012-08-20 21:41 -------- d-----w- c:\program files\SuperAdBlocker.com
2012-08-05 05:53 . 2012-08-05 05:54 -------- d-----w- c:\users\Richard\AppData\Roaming\ExpressFiles
2012-08-03 01:18 . 2012-08-03 01:18 -------- d-----w- c:\users\Richard\AppData\Roaming\Intel
2012-08-01 08:04 . 2012-08-01 08:04 -------- d-----w- c:\program files\Caminova
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-01 21:36 . 2010-09-03 17:46 418192654 ----a-w- c:\windows\DUMP2cf8.tmp
2012-07-01 02:46 . 2012-07-01 02:46 2 --shatr- c:\windows\winstart.bat
2012-06-23 04:03 . 2012-02-09 23:42 477240 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-06-07 03:59 . 2012-06-07 03:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-01 21:15 . 2012-06-01 21:15 35080 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2012-05-31 19:25 . 2011-12-12 01:22 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2011-12-10 1232896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-13 154136]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
c:\program files\SUPERAntiSpyware\SASWINLO.DLL [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^Richard^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-07-12 03:45 116648 ----atw- c:\users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-13 16:24 137752 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-13 16:24 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 18:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-03 01:39]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-03 01:39]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3544131700-303161591-3163790806-1000Core.job
- c:\users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-12 03:45]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3544131700-303161591-3163790806-1000UA.job
- c:\users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-12 03:45]
.
.
------- Supplementary Scan -------
.
uStart Page = https://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-4B1AB0B682EE}&mid=044cb4d0f52a47d09cacd168dd359f17-a317e041b5d650db48ace064b9f3a4ad4b94dd01&lang=en&ds=gm011&pr=sa&d=2012-07-27 21:16&v=12.1.0.21&sap=hp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-27 00:46
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-27 00:48:36
ComboFix-quarantined-files.txt 2012-08-27 07:48
ComboFix2.txt 2012-07-01 08:31
ComboFix3.txt 2012-07-01 07:16
ComboFix4.txt 2012-07-01 02:07
.
Pre-Run: 42,356,867,072 bytes free
Post-Run: 42,332,008,448 bytes free
.
- - End Of File - - 197E3D7141F0FA3B01727F9483021178

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:05 PM

Posted 27 August 2012 - 07:20 AM

Your logs are clean.

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Please post the logs and let me know what problem persists.

#7 UltraSquare

UltraSquare
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 27 August 2012 - 11:14 AM

Results of screen317's Security Check version 0.99.46
Windows Vista x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
JavaFX 2.1.1
Java™ 7 Update 5
Java version out of Date!
Adobe Reader X (10.1.4)
Google Chrome 16.0.912.75
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

# AdwCleaner v1.801 - Logfile created 08/27/2012 at 12:12:22
# Updated 14/08/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium (32 bits)
# User : Richard - RICHARD-PC
# Boot Mode : Normal
# Running from : C:\Users\Richard\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Richard\AppData\Local\APN
Folder Found : C:\ProgramData\Ask
File Found : C:\user.js

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\SweetIm
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\Incredibar.IncredibarHlpr
Key Found : HKLM\SOFTWARE\Classes\Incredibar.IncredibarHlpr.1
Key Found : HKLM\SOFTWARE\Iminent
Key Found : HKLM\SOFTWARE\SweetIM

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6000.16982

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxps://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-4B1AB0B682EE}&mid=044cb4d0f52a47d09cacd168dd359f17-a317e041b5d650db48ace064b9f3a4ad4b94dd01&lang=en&ds=gm011&pr=sa&d=2012-07-27 21:16:46&v=12.1.0.21&sap=hp

-\\ Google Chrome v21.0.1180.83

File : C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found : "homepage": "hxxps://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-4B1AB0B682EE}&mid=044cb4d0f[...]
Found : "homepage": "hxxps://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-4B1AB0B682EE}&mid=044cb4d0f52a[...]

*************************

AdwCleaner[R1].txt - [3710 octets] - [27/08/2012 12:12:22]

########## EOF - C:\AdwCleaner[R1].txt - [3838 octets] ##########

#8 UltraSquare

UltraSquare
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 27 August 2012 - 11:33 AM

The Zlob1 file is still in the doll folder and there still seems to be extra doll folders

The file is 0 bytes in size though. I can't tell if that means its just a trace of a file that isn't there anymore or if its trying to hide its size to be tricky.

Heres a picture of it


Also just to be clear I have not deleted what was found in AdwCleaner.exe

Attached Files

  • Attached File  2.jpg   53.63KB   2 downloads

Edited by UltraSquare, 27 August 2012 - 01:04 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:05 PM

Posted 27 August 2012 - 01:14 PM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp
===

Remove the AdWare, PUB found.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
===

I am suspicious of zlob in particular because in OS(C:) there are extra Doll folders with random letters and numbers next to their name. Not sure if thats normal or not, but in the folder Doll2158D there is a file named Zlob01 that is 0 bytes in size

If you did not create these Dollxxx folders delete them.
Keep them in your recycle bin for a week or so. If all is well you can flush them.

#10 UltraSquare

UltraSquare
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 27 August 2012 - 02:57 PM

# AdwCleaner v1.801 - Logfile created 08/27/2012 at 15:51:03
# Updated 14/08/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium (32 bits)
# User : Richard - RICHARD-PC
# Boot Mode : Normal
# Running from : C:\Users\Richard\Desktop\New Folder\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Richard\AppData\Local\APN
Folder Deleted : C:\ProgramData\Ask
File Deleted : C:\user.js

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\SweetIm
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Incredibar.IncredibarHlpr
Key Deleted : HKLM\SOFTWARE\Classes\Incredibar.IncredibarHlpr.1
Key Deleted : HKLM\SOFTWARE\Iminent
Key Deleted : HKLM\SOFTWARE\SweetIM

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6000.16982

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxps://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-4B1AB0B682EE}&mid=044cb4d0f52a47d09cacd168dd359f17-a317e041b5d650db48ace064b9f3a4ad4b94dd01&lang=en&ds=gm011&pr=sa&d=2012-07-27 21:16:46&v=12.1.0.21&sap=hp --> hxxp://www.google.com

-\\ Google Chrome v21.0.1180.83

File : C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted : "homepage": "hxxps://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-4B1AB0B682EE}&mid=044cb4d0f[...]
Deleted : "homepage": "hxxps://isearch.avg.com/?cid={180AE7DA-E2B5-4716-92D0-4B1AB0B682EE}&mid=044cb4d0f52a[...]

*************************

AdwCleaner[R1].txt - [3839 octets] - [27/08/2012 12:12:22]
AdwCleaner[S1].txt - [3892 octets] - [27/08/2012 15:51:03]

########## EOF - C:\AdwCleaner[S1].txt - [4020 octets] ##########

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:05 PM

Posted 28 August 2012 - 07:47 AM

Good work.

Any remaining issues?

#12 UltraSquare

UltraSquare
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 28 August 2012 - 09:10 AM

The computer is running better but i'm still not sure. If its ok i'd like to do a few more scans just to be sure the computer is completely clean.

I really appreciate the help so far, thank you so much.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:05 PM

Posted 28 August 2012 - 10:16 AM

When all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove adwcleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

#14 UltraSquare

UltraSquare
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 28 August 2012 - 10:58 AM

Done, and thanks again for all the help. If you don't think we need an extra scan to check, i'll trust your intuition on that.

Edited by UltraSquare, 28 August 2012 - 10:58 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users